Merge pull request #61 from fystack/feat/badger-backup

Implement badger backup recovery

Author: anhthii

README.md

@@ -107,6 +107,32 @@ Each Mpcium node:
 - **Scalable and pluggable**: Easily expand the cluster or integrate additional tools
 - **Secure peer authentication**: All inter-node messages are signed and verified using Ed25519
 
+## Configuration
+
+The application uses a YAML configuration file (`config.yaml`) with the following key settings:
+
+### Database Configuration
+
+- `badger_password`: Password for encrypting the BadgerDB database
+- `db_path`: Path where the database files are stored
+
+### Backup Configuration
+
+- `backup_enabled`: Enable/disable automatic backups (default: true)
+- `backup_period_seconds`: How often to perform backups in seconds (default: 300)
+- `backup_dir`: Directory where encrypted backups are stored
+
+### Network Configuration
+
+- `nats.url`: NATS server URL
+- `consul.address`: Consul server address
+
+### MPC Configuration
+
+- `mpc_threshold`: Threshold for multi-party computation
+- `event_initiator_pubkey`: Public key of the event initiator
+- `max_concurrent_keygen`: Maximum concurrent key generation operations
+
 ## Installation and Run
 
 For full installation and run instructions, see [INSTALLATION.md](./INSTALLATION.md).
@@ -176,4 +202,3 @@ go test ./... -v
 cd e2e
 make test
 ```
-

cmd/mpcium-cli/main.go

@@ -125,6 +125,31 @@ func main() {
 				},
 				Action: generateInitiatorIdentity,
 			},
+			{
+				Name:  "recover",
+				Usage: "Recover database from encrypted backup files",
+				Flags: []cli.Flag{
+					&cli.StringFlag{
+						Name:     "backup-dir",
+						Aliases:  []string{"b"},
+						Usage:    "Directory containing encrypted backup files",
+						Required: true,
+					},
+					&cli.StringFlag{
+						Name:     "recovery-path",
+						Aliases:  []string{"r"},
+						Usage:    "Target path for database recovery",
+						Required: true,
+					},
+					&cli.BoolFlag{
+						Name:    "force",
+						Aliases: []string{"f"},
+						Value:   false,
+						Usage:   "Force overwrite if recovery path already exists",
+					},
+				},
+				Action: recoverDatabase,
+			},
 			{
 				Name:  "version",
 				Usage: "Display detailed version information",

cmd/mpcium-cli/recovery.go

@@ -0,0 +1,63 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"syscall"
+
+	"github.com/fystack/mpcium/pkg/kvstore"
+	"github.com/urfave/cli/v3"
+	"golang.org/x/term"
+)
+
+// recoverDatabase handles the database recovery from encrypted backup files
+func recoverDatabase(ctx context.Context, c *cli.Command) error {
+	backupDir := c.String("backup-dir")
+	recoveryPath := c.String("recovery-path")
+	force := c.Bool("force")
+
+	if _, err := os.Stat(backupDir); os.IsNotExist(err) {
+		return fmt.Errorf("backup directory does not exist: %s", backupDir)
+	}
+
+	if _, err := os.Stat(recoveryPath); err == nil && !force {
+		return fmt.Errorf("recovery path already exists: %s (use --force to overwrite)", recoveryPath)
+	}
+
+	// Prompt for encryption key
+	var key []byte
+	fmt.Print("Enter backup encryption key: ")
+	keyBytes, err := term.ReadPassword(int(syscall.Stdin))
+	if err != nil {
+		return fmt.Errorf("failed to read encryption key: %w", err)
+	}
+	fmt.Println() // Add newline after password input
+	key = keyBytes
+	if len(key) == 0 {
+		return fmt.Errorf("encryption key cannot be empty")
+	}
+
+	// Remove existing recovery path if force flag is set
+	if force {
+		if err := os.RemoveAll(recoveryPath); err != nil {
+			return fmt.Errorf("failed to remove existing recovery path: %w", err)
+		}
+	}
+
+	fmt.Printf("Starting database recovery...\n")
+	fmt.Printf("Backup directory: %s\n", backupDir)
+	fmt.Printf("Recovery path: %s\n", recoveryPath)
+
+	// Create a temporary backup executor to access the backup files
+	tempExecutor := kvstore.NewBadgerBackupExecutor("temp", nil, key, backupDir)
+
+	// Perform the recovery using the existing method with specified recovery path
+	if err := tempExecutor.RestoreAllBackupsEncrypted(recoveryPath, key); err != nil {
+		return fmt.Errorf("recovery failed: %w", err)
+	}
+
+	fmt.Printf("✅ Database recovery completed successfully!\n")
+	fmt.Printf("Restored database is available at: %s\n", recoveryPath)
+	return nil
+}

cmd/mpcium/main.go

@@ -29,15 +29,15 @@ import (
 )
 
 const (
-	// Version information
-	VERSION = "0.2.1"
+	Version                    = "0.3.1"
+	DefaultBackupPeriodSeconds = 300 // (5 minutes)
 )
 
 func main() {
 	app := &cli.Command{
 		Name:    "mpcium",
 		Usage:   "Multi-Party Computation node for threshold signatures",
-		Version: VERSION,
+		Version: Version,
 		Commands: []*cli.Command{
 			{
 				Name:  "start",
@@ -72,7 +72,7 @@ func main() {
 				Name:  "version",
 				Usage: "Display detailed version information",
 				Action: func(ctx context.Context, c *cli.Command) error {
-					fmt.Printf("mpcium version %s\n", VERSION)
+					fmt.Printf("mpcium version %s\n", Version)
 					return nil
 				},
 			},
@@ -104,13 +104,21 @@ func runNode(ctx context.Context, c *cli.Command) error {
 	}
 
 	consulClient := infra.GetConsulClient(environment)
-	badgerKV := NewBadgerKV(nodeName)
-	defer badgerKV.Close()
-
 	keyinfoStore := keyinfo.NewStore(consulClient.KV())
 	peers := LoadPeersFromConsul(consulClient)
 	nodeID := GetIDFromName(nodeName, peers)
 
+	badgerKV := NewBadgerKV(nodeName, nodeID)
+	defer badgerKV.Close()
+
+	// Start background backup job
+	backupEnabled := viper.GetBool("backup_enabled")
+	if backupEnabled {
+		backupPeriodSeconds := viper.GetInt("backup_period_seconds")
+		stopBackup := StartPeriodicBackup(ctx, badgerKV, backupPeriodSeconds)
+		defer stopBackup()
+	}
+
 	identityStore, err := identity.NewFileStore("identity", nodeName, decryptPrivateKey)
 	if err != nil {
 		logger.Fatal("Failed to create identity store", err)
@@ -384,7 +392,7 @@ func GetIDFromName(name string, peers []config.Peer) string {
 	return nodeID
 }
 
-func NewBadgerKV(nodeName string) *kvstore.BadgerKVStore {
+func NewBadgerKV(nodeName, nodeID string) *kvstore.BadgerKVStore {
 	// Badger KV DB
 	// Use configured db_path or default to current directory + "db"
 	basePath := viper.GetString("db_path")
@@ -393,17 +401,55 @@ func NewBadgerKV(nodeName string) *kvstore.BadgerKVStore {
 	}
 	dbPath := filepath.Join(basePath, nodeName)
 
-	badgerKv, err := kvstore.NewBadgerKVStore(
-		dbPath,
-		[]byte(viper.GetString("badger_password")),
-	)
+	// Use configured backup_dir or default to current directory + "backups"
+	backupDir := viper.GetString("backup_dir")
+	if backupDir == "" {
+		backupDir = filepath.Join(".", "backups")
+	}
+
+	// Create BadgerConfig struct
+	config := kvstore.BadgerConfig{
+		NodeID:              nodeName,
+		EncryptionKey:       []byte(viper.GetString("badger_password")),
+		BackupEncryptionKey: []byte(viper.GetString("badger_password")), // Using same key for backup encryption
+		BackupDir:           backupDir,
+		DBPath:              dbPath,
+	}
+
+	badgerKv, err := kvstore.NewBadgerKVStore(config)
 	if err != nil {
 		logger.Fatal("Failed to create badger kv store", err)
 	}
-	logger.Info("Connected to badger kv store", "path", dbPath)
+	logger.Info("Connected to badger kv store", "path", dbPath, "backup_dir", backupDir)
 	return badgerKv
 }
 
+func StartPeriodicBackup(ctx context.Context, badgerKV *kvstore.BadgerKVStore, periodSeconds int) func() {
+	if periodSeconds <= 0 {
+		periodSeconds = DefaultBackupPeriodSeconds
+	}
+	backupTicker := time.NewTicker(time.Duration(periodSeconds) * time.Second)
+	backupCtx, backupCancel := context.WithCancel(ctx)
+	go func() {
+		for {
+			select {
+			case <-backupCtx.Done():
+				logger.Info("Backup background job stopped")
+				return
+			case <-backupTicker.C:
+				logger.Info("Running periodic BadgerDB backup...")
+				err := badgerKV.Backup()
+				if err != nil {
+					logger.Error("Periodic BadgerDB backup failed", err)
+				} else {
+					logger.Info("Periodic BadgerDB backup completed successfully")
+				}
+			}
+		}
+	}()
+	return backupCancel
+}
+
 func GetNATSConnection(environment string) (*nats.Conn, error) {
 	url := viper.GetString("nats.url")
 	opts := []nats.Option{

config.prod.yaml.template

@@ -11,3 +11,5 @@ consul:
 
 mpc_threshold: 2
 environment: production # Set to production for production environment
+backup_enabled: true
+backup_period_seconds: 300 # Seconds

config.yaml.template

@@ -9,3 +9,6 @@ badger_password: "your_badger_password"
 event_initiator_pubkey: "event_initiator_pubkey"
 max_concurrent_keygen: 2
 db_path: "."  
+backup_enabled: true
+backup_period_seconds: 300 # 5 minutes
+backup_dir: backups

pkg/encryption/aes.go

@@ -0,0 +1,36 @@
+package encryption
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+)
+
+func EncryptAESGCM(plain, key []byte) (ciphertext, nonce []byte, err error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, nil, err
+	}
+	aead, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, nil, err
+	}
+	nonce = make([]byte, aead.NonceSize())
+	if _, err = rand.Read(nonce); err != nil {
+		return nil, nil, err
+	}
+	ciphertext = aead.Seal(nil, nonce, plain, nil)
+	return ciphertext, nonce, nil
+}
+
+func DecryptAESGCM(ciphertext, key, nonce []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	aead, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+	return aead.Open(nil, nonce, ciphertext, nil)
+}