fix(function): reject SM4 functions in community edition#35406
Conversation
There was a problem hiding this comment.
Code Review
This pull request restricts the SM4 encryption and decryption functions (sm4_encrypt and sm4_decrypt) to the Enterprise and Astra editions. It adds preprocessor checks in the built-in functions and SQL parser to raise an error when these functions are invoked in other editions. The test cases are also updated to dynamically detect SM4 support and verify that the appropriate error messages are returned when unsupported. I have no feedback to provide as there are no review comments.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Fixes #35349.
Problem
In the community edition,
SM4_ENCRYPT/SM4_DECRYPTreport success but return the plaintext unchanged: the community build ships a copy-through SM4 implementation (kept for internal storage encryption such as WAL/checkpoint), and the SQL layer did not reject these functions. Users therefore believe their data is encrypted while it is stored in plaintext.Changes
Reject the two SM4 SQL functions in community builds with
TSDB_CODE_OPS_NOT_SUPPORT("only supported in Enterprise edition"), at both entry points:source/libs/function/src/builtins.c:translateOutSm4/translateOutSm4Dereturn the error during function translation — covers all query paths (SELECT,WHERE,INSERT ... SELECT, ...).source/libs/parser/src/parInsertSql.c:parseBinaryrejectsTK_SM4_ENCRYPT/TK_SM4_DECRYPT— covers theINSERT ... VALUES(sm4_encrypt(...))constant-folding fast path, which bypasses function translation.Enterprise builds (
TD_ENTERPRISE/TD_ASTRA) are unchanged; the guard macro follows the existing convention insource/libs/crypt/src/crypt.c.Tests
test/cases/11-Functions/01-Scalar/test_scalar_crypto.py: probe SM4 availability, assert the enterprise-only error on SELECT/INSERT encrypt/decrypt paths in community edition; original positive cases now run only where SM4 is supported.test/cases/11-Functions/09-NoFrom/test_fun_no_from_all.py: SM4 no-FROM cases moved to a separate list and routed to positive/negative assertions based on a runtime probe, so the case passes on both editions. Also pass the test client config dir (-c) to thetaosCLI invocations.Verification (community build)
SELECT sm4_encrypt/decrypt(...),INSERT ... VALUES(sm4_encrypt/decrypt(...))all fail with0x80000100 only supported in Enterprise edition; AES functions unaffected; rejected SM4 inserts write no plaintext.3.4.1.13.alpha.community(basemain@df445db5dc), Linux x86_64. Enterprise edition was not run locally; it is unaffected by construction since the rejection is compiled out whenTD_ENTERPRISE/TD_ASTRAis defined.