[ISSUE] Using Acra as proxy/encryptor with rails app fails to encrypt

[arffsaad]

Describe the bug I have used acra for my own projects with both mysql and postgres and it works like a charm. Now i am trying to encrypt the database (PostgreSQL) of a chat app based on rails (chatwoot) but it seems like encryption doesn't seem to work at all.

The error that comes is written as: time="2022-09-28T06:57:05Z" level=error msg="Column count in RowDescription packet not same as parsed query count of columns

To Reproduce Steps to reproduce the behavior:

1. Install chatwoot (preferably not the docker version)
2. Setup acra server and encryptor config (i followed the example configs very closely) and include one table + one column from it.
3. Start acra (at this point the error logs already pop off)
4. Data can be shown and inserted, but it is not encrypted.

Expected behavior Acra does not show this error, and chatwoot data is encrypted succesfully with no issues.

Acra configuration files For AcraServer: acra-server.yaml

version: 0.93.0
client_id: dbEncrypt
mysql_enable: false
postgresql_enable: true
db_port: 5432
db_host: 127.0.0.1
zonemode_enable: false
encryptor_config_file: "/etc/acra/acra-encryptor.yaml"

acra-encryptor.yaml

defaults:
  crypto_envelope: acrablock

schemas:
- table: users
  columns:
    - id
    - provider
    - uid
    - encrypted_password
    - reset_password_token
    - reset_password_sent_at
    - remember_created_at
    - sign_in_count
    - current_sign_in_at
    - last_sign_in_at
    - current_sign_in_ip
    - last_sign_in_ip
    - confirmation_token
    - confirmed_at
    - confirmation_sent_at
    - unconfirmed_email
    - name
    - display_name
    - email
    - tokens
    - created_at
    - updated_at
    - pubsub_token
    - availability
    - ui_settings
    - custom_attributes
    - type
    - message_signature
  encrypted:
  - column: name
    token_type: str
    tokenized: true

Environment:

• Acra version: [e.g. 0.93.0]
• Database server and its version: [PostgreSQL 10.21]
• Installed components:
  • [x] AcraServer
• Data-in-transit encryption between Acra and the client-side application:
  • [x] no transport encryption (Transparent Encryption)
• Installation way:
  • [x] From source.

[Lagovas]

encrypted:
  - column: name
    token_type: str
    tokenized: true

with these settings acra-server will tokenize data instead of encryption. so in your database you should expect replaced data instead of real data that you try to store.

I'm not familiar with chatwoot, so it requires more time to reproduce this case. Will be much better if you show whole logs from acra-server, not only one error row. And try to start acra-server with -d flag that turns on debug level logs before it.

[arffsaad]

Hi lagovas,

Thanks for the reply, yup my bad, got confused about that. Yes, i was expecting tokenization. But the data was kept as is, and no tokenization was done. I have used the same config on another db with another project, which was a php app. it works fine and tokenization was done as intended. Here are the logs. If you inspect it you can find the error that i mentioned. At the same time, i will also attach the structure of the table i was trying to perform tokenization.

acra.log

[Lagovas]

Hi, my apologies for the delayed response. I tried to deploy chatwoot using docker-compose, added here acra-server with your encryptor config and see that it works as expected. I just extended it with:

acra-server:
    image: cossacklabs/acra-server:current
    restart: always
    environment:
      ACRA_MASTER_KEY: ${ACRA_SERVER_MASTER_KEY:-vcACAvdoLT24yWtjAEB/IVcBjjSx/MxOBveQWMq2V+o=}
    ports:
      - "9393:9393"
    volumes:
      - /tmp/.acrakeys:/keys
      - /tmp/encryptor-config.yaml:/encryptor-config.yml
      - /tmp/acra/tests/ssl:/ssl
      - /tmp/logs:/tmp/logs
    command: >-
      --db_host=postgres
      --client_id=client
      --db_port=5432
      --keys_dir=/keys
      --encryptor_config_file=/encryptor-config.yml
      --tls_auth=4
      --tls_ca=/ssl/ca/ca.crt
      --tls_cert=/ssl/acra-server/acra-server.crt
      --tls_key=/ssl/acra-server/acra-server.key
      --log_to_file=/tmp/logs/log.txt
      -d

with acra-server's container, with pre-generated keys on the host machine for --client_id=client and using SSL certs from Acra repository just because it is already existing self-signed with expected server name acra-server. Additionally, I updated .env file (used .env.example from the chatwoot's repo) with

DATABASE_URL=postgresql://test:test@acra-server:9393/chatwoot?sslmode=disable
#POSTGRES_DATABASE=
#POSTGRES_HOST=localhost
#POSTGRES_PORT=9393
#POSTGRES_USERNAME=test
#POSTGRES_PASSWORD=test

to avoid complications with the SSL and just to test with statically specified client_id. After initial chatwoot's registration, I found tokenized name value in the database queries directly to PostgreSQL.

So, please try this configuration one more time or provide some environment to reproduce your problem. For example as docker-compose script of deployment or something reproducible.

P.S. I read your log file and found error: time="2022-09-29T08:31:24Z" level=error msg="Column count in RowDescription packet not same as parsed query count of columns". My first thought was that problem with incorrect encryptor_config and table description or inappropriate table's schema in the database. Or issue related to recently fixed problem with quoted columns (RoR wraps identifiers with double quotes like select "inboxes".* from "inboxes" where "inboxes"."channel_type" = $1, but it is works with 0.93.0 without fixes. P.S.2 I tested with cossacklabs/acra-server:0.93.0 and :current (current master state) images, works both. P.S.3 Keep in mind that in my example of acra-server's container I used configs and certs from the host machine from the /tmp folder. Use your own or place into the same place.

[Lagovas]

I close it due to looks like works and no answer for a month. Feel free to re-open if it continues not working and steps to reproduce.