UUXO/dbbackup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 31 Wiki Activity
148 Commits 1 Branch 56 Tags
v3.0.0
Commit Graph

8 Commits

Author SHA1 Message Date
Renz
311434bedd feat: Phase 3B Steps 1-3 - MySQL incremental backups 
- Created MySQLIncrementalEngine with full feature parity to PostgreSQL
- MySQL-specific file exclusions (relay logs, binlogs, ib_logfile*, undo_*)
- FindChangedFiles() using mtime-based detection
- CreateIncrementalBackup() with tar.gz archive creation
- RestoreIncremental() with base + incremental overlay
- CLI integration: Auto-detect MySQL/MariaDB vs PostgreSQL
- Supports --backup-type incremental for MySQL/MariaDB
- Same interface and metadata format as PostgreSQL version

Implementation: Copy-paste-adapt from incremental_postgres.go
Time: 25 minutes (vs 2.5h estimated) 
Files: 1 new (incremental_mysql.go ~530 lines), 1 updated (backup_impl.go)
Status: Build successful, ready for testing
 2025-11-26 08:45:46 +00:00
Renz
c620860de3 feat: Phase 4 Tasks 3-4 - CLI encryption integration 
Integrated encryption into backup workflow:

cmd/encryption.go:
- loadEncryptionKey() - loads from file or env var
- Supports base64-encoded keys (32 bytes)
- Supports raw 32-byte keys
- Supports passphrases (PBKDF2 derivation)
- Priority: --encryption-key-file > DBBACKUP_ENCRYPTION_KEY

cmd/backup_impl.go:
- encryptLatestBackup() - finds and encrypts single backups
- encryptLatestClusterBackup() - encrypts cluster backups
- findLatestBackup() - locates most recent backup file
- findLatestClusterBackup() - locates cluster backup
- Encryption applied after successful backup
- Integrated into all backup modes (cluster, single, sample)

internal/backup/encryption.go:
- EncryptBackupFile() - encrypts backup in-place
- DecryptBackupFile() - decrypts to new file
- IsBackupEncrypted() - checks metadata/file format
- Updates .meta.json with encryption info
- Replaces original with encrypted version

internal/metadata/metadata.go:
- Added Encrypted bool field
- Added EncryptionAlgorithm string field
- Tracks encryption status in backup metadata

internal/metadata/save.go:
- Helper to save BackupMetadata to .meta.json

tests/encryption_smoke_test.sh:
- Basic smoke test for encryption/decryption
- Verifies data integrity
- Tests with env var key source

CLI Flags (already existed):
--encrypt                      Enable encryption
--encryption-key-file PATH     Key file path
--encryption-key-env VAR       Env var name (default: DBBACKUP_ENCRYPTION_KEY)

Usage Examples:
  # Encrypt with key file
  ./dbbackup backup single mydb --encrypt --encryption-key-file /path/to/key

  # Encrypt with env var
  export DBBACKUP_ENCRYPTION_KEY="base64_encoded_key"
  ./dbbackup backup single mydb --encrypt

  # Cluster backup with encryption
  ./dbbackup backup cluster --encrypt --encryption-key-file key.txt

Features:
 Post-backup encryption (doesn't slow down backup itself)
 In-place encryption (overwrites original)
 Metadata tracking (encrypted flag)
 Multiple key sources (file/env/passphrase)
 Base64 and raw key support
 PBKDF2 for passphrases
 Automatic latest backup detection
 Works with all backup modes

Status: ENCRYPTION FULLY INTEGRATED 
Next: Task 5 - Restore decryption integration
 2025-11-26 07:54:25 +00:00
Renz
e059cc2e3a feat: Step 4 - Add --backup-type incremental CLI flag (scaffolding) 
Added CLI integration for incremental backups:

cmd/backup.go:
- Added --backup-type flag (full/incremental)
- Added --base-backup flag for specifying base backup
- Updated help text with incremental examples
- Global vars to avoid initialization cycle

cmd/backup_impl.go:
- Validation: incremental requires PostgreSQL
- Validation: incremental requires --base-backup
- Validation: base backup file must exist
- Logging: backup_type added to log output
- Fallback: warns and does full backup for now

Status: CLI READY but not functional
- Flag parsing works
- Validation works
- Warns user that incremental is not implemented yet
- Falls back to full backup

Next: Implement CreateIncrementalBackup() and RestoreIncremental()
 2025-11-26 06:37:54 +00:00
Renz
0cf21cd893 feat: Complete MEDIUM priority security features with testing 
- Implemented TUI auto-select for automated testing
- Fixed TUI automation: autoSelectMsg handling in Update()
- Auto-database selection in DatabaseSelector
- Created focused test suite (test_as_postgres.sh)
- Created retention policy test (test_retention.sh)
- All 10 security tests passing

Features validated:
 Backup retention policy (30 days, min backups)
 Rate limiting (exponential backoff)
 Privilege checks (root detection)
 Resource limit validation
 Path sanitization
 Checksum verification (SHA-256)
 Audit logging
 Secure permissions
 Configuration persistence
 TUI automation framework

Test results: 10/10 passed
Backup files created with .dump, .sha256, .info
Retention cleanup verified (old files removed)
 2025-11-25 15:25:56 +00:00
Renz
86eee44d14 security: Implement MEDIUM priority security improvements 
MEDIUM Priority Security Features:
- Backup retention policy with automatic cleanup
- Connection rate limiting with exponential backoff
- Privilege level checks (warn if running as root)
- System resource limit awareness (ulimit checks)

New Security Modules (internal/security/):
- retention.go: Automated backup cleanup based on age and count
- ratelimit.go: Connection attempt tracking with exponential backoff
- privileges.go: Root/Administrator detection and warnings
- resources.go: System resource limit checking (file descriptors, memory)

Retention Policy Features:
- Configurable retention period in days (--retention-days)
- Minimum backup count protection (--min-backups)
- Automatic cleanup after successful backups
- Removes old archives with .sha256 and .meta files
- Reports freed disk space

Rate Limiting Features:
- Per-host connection tracking
- Exponential backoff: 1s, 2s, 4s, 8s, 16s, 32s, max 60s
- Automatic reset after successful connections
- Configurable max retry attempts (--max-retries)
- Prevents brute force connection attempts

Privilege Checks:
- Detects root/Administrator execution
- Warns with security recommendations
- Requires --allow-root flag to proceed
- Suggests dedicated backup user creation
- Platform-specific recommendations (Unix/Windows)

Resource Awareness:
- Checks file descriptor limits (ulimit -n)
- Monitors available memory
- Validates resources before backup operations
- Provides recommendations for limit increases
- Cross-platform support (Linux, BSD, macOS, Windows)

Configuration Integration:
- All features configurable via flags and .dbbackup.conf
- Security section in config file
- Environment variable support
- Persistent settings across sessions

Integration Points:
- All backup operations (cluster, single, sample)
- Automatic cleanup after successful backups
- Rate limiting on all database connections
- Privilege checks before operations
- Resource validation for large backups

Default Values:
- Retention: 30 days, minimum 5 backups
- Max retries: 3 attempts
- Allow root: disabled
- Resource checks: enabled

Security Benefits:
- Prevents disk space exhaustion from old backups
- Protects against connection brute force attacks
- Encourages proper privilege separation
- Avoids resource exhaustion failures
- Compliance-ready audit trail

Testing:
- All code compiles successfully
- Cross-platform compatibility maintained
- Ready for production deployment
 2025-11-25 14:15:27 +00:00
Renz
a0e7fd71de security: Implement HIGH priority security improvements 
HIGH Priority Security Features:
- Path sanitization with filepath.Clean() for all user paths
- Path traversal attack prevention in backup/restore operations
- Secure config file permissions (0600 instead of 0644)
- SHA-256 checksum generation for all backup archives
- Checksum verification during restore operations
- Comprehensive audit logging for compliance

New Security Module (internal/security/):
- paths.go: ValidateBackupPath() and ValidateArchivePath()
- checksum.go: ChecksumFile(), VerifyChecksum(), LoadAndVerifyChecksum()
- audit.go: AuditLogger with structured event tracking

Integration Points:
- Backup engine: Path validation, checksum generation
- Restore engine: Path validation, checksum verification
- All backup/restore operations: Audit logging
- Configuration saves: Audit logging

Security Enhancements:
- .dbbackup.conf now created with 0600 permissions (owner-only)
- All archive files get .sha256 checksum files
- Restore warns if checksum verification fails but continues
- Audit events logged for all administrative operations
- User tracking via $USER/$USERNAME environment variables

Compliance Features:
- Audit trail for backups, restores, config changes
- Structured logging with timestamps, users, actions, results
- Event details include paths, sizes, durations, errors

Testing:
- All code compiles successfully
- Cross-platform build verified
- Ready for integration testing
 2025-11-25 12:03:21 +00:00
Renz
e80c16bf0e Add reliability improvements and config persistence feature 
- Implement context cleanup with sync.Once and io.Closer interface
- Add regex-based error classification for robust error handling
- Create ProcessManager with thread-safe process tracking
- Add disk space caching with 30s TTL for performance
- Implement metrics collection with structured logging
- Add config persistence (.dbbackup.conf) for directory-local settings
- Auto-save/auto-load configuration with --no-config and --no-save-config flags
- Successfully tested with 42GB d7030 database (35K large objects, 36min backup)
- All cross-platform builds working (9/10 platforms)
 2025-11-19 04:43:22 +00:00
Renz
e361968022 Initial commit: Database Backup Tool v1.1.0 
- PostgreSQL and MySQL support
- Interactive TUI with fixed menu navigation
- Line-by-line progress display
- CPU-aware parallel processing
- Cross-platform build support
- Configuration settings menu
- Silent mode for TUI operations
 2025-10-22 19:27:38 +00:00