fix: add constraint on add search config

tobyhede · tobyhede · commit aa3f683153b6 · 2025-09-08T16:29:21.000+10:00
diff --git a/src/config/functions.sql b/src/config/functions.sql
@@ -61,7 +61,7 @@ AS $$
       PERFORM eql_v2.activate_config();
     END IF;
 
-    -- PERFORM eql_v2.add_encrypted_constraint(table_name, column_name);
+    PERFORM eql_v2.add_encrypted_constraint(table_name, column_name);
 
     -- exeunt
     RETURN _config;
diff --git a/src/encrypted/constraints_test.sql b/src/encrypted/constraints_test.sql
@@ -43,6 +43,66 @@ DO $$
 $$ LANGUAGE plpgsql;
 
 
+-- -----------------------------------------------
+-- Adding search config adds the constraint
+--
+-- -----------------------------------------------
+TRUNCATE TABLE eql_v2_configuration;
+
+DO $$
+  BEGIN
+    -- reset the table
+    PERFORM create_table_with_encrypted();
+
+    PERFORM eql_v2.add_search_config('encrypted', 'e', 'match');
+
+    PERFORM assert_exception(
+        'Constraint catches invalid eql_v2_encrypted',
+        'INSERT INTO encrypted (e) VALUES (''{}''::jsonb::eql_v2_encrypted)');
+
+    -- add constraint without error
+    PERFORM eql_v2.add_encrypted_constraint('encrypted', 'e');
+
+    PERFORM eql_v2.remove_encrypted_constraint('encrypted', 'e');
+
+    PERFORM assert_result(
+        'Insert invalid data without constraint',
+        'INSERT INTO encrypted (e) VALUES (''{}''::jsonb::eql_v2_encrypted) RETURNING id');
+
+  END;
+$$ LANGUAGE plpgsql;
+
+
+-- -----------------------------------------------
+-- Adding column adds the constraint
+--
+-- -----------------------------------------------
+TRUNCATE TABLE eql_v2_configuration;
+
+DO $$
+  BEGIN
+    -- reset the table
+    PERFORM create_table_with_encrypted();
+
+    PERFORM eql_v2.add_column('encrypted', 'e');
+
+    PERFORM assert_exception(
+        'Constraint catches invalid eql_v2_encrypted',
+        'INSERT INTO encrypted (e) VALUES (''{}''::jsonb::eql_v2_encrypted)');
+
+    -- add constraint without error
+    PERFORM eql_v2.add_encrypted_constraint('encrypted', 'e');
+
+    PERFORM eql_v2.remove_encrypted_constraint('encrypted', 'e');
+
+    PERFORM assert_result(
+        'Insert invalid data without constraint',
+        'INSERT INTO encrypted (e) VALUES (''{}''::jsonb::eql_v2_encrypted) RETURNING id');
+
+  END;
+$$ LANGUAGE plpgsql;
+
+
 -- EQL version is enforced
 DO $$
   DECLARE
diff --git a/src/encrypted/functions.sql b/src/encrypted/functions.sql
@@ -51,8 +51,12 @@ CREATE FUNCTION eql_v2.add_encrypted_constraint(table_name TEXT, column_name TEX
   RETURNS void
 AS $$
 	BEGIN
-		EXECUTE format('ALTER TABLE %I ADD CONSTRAINT eql_v2_encrypted_check_%I CHECK (eql_v2.check_encrypted(%I))', table_name, column_name, column_name);
-	END;
+    EXECUTE format('ALTER TABLE %I ADD CONSTRAINT eql_v2_encrypted_constraint_%I_%I CHECK (eql_v2.check_encrypted(%I))', table_name, table_name, column_name, column_name);
+  EXCEPTION
+    WHEN duplicate_table THEN
+    WHEN duplicate_object THEN
+      RAISE NOTICE 'Constraint `eql_v2_encrypted_constraint_%_%` already exists, skipping', table_name, column_name;
+  END;
 $$ LANGUAGE plpgsql;
 
 
@@ -66,7 +70,7 @@ CREATE FUNCTION eql_v2.remove_encrypted_constraint(table_name TEXT, column_name
   RETURNS void
 AS $$
 	BEGIN
-		EXECUTE format('ALTER TABLE %I DROP CONSTRAINT IF EXISTS eql_v2_encrypted_check_%I', table_name, column_name);
+		EXECUTE format('ALTER TABLE %I DROP CONSTRAINT IF EXISTS eql_v2_encrypted_constraint_%I_%I', table_name, table_name, column_name);
 	END;
 $$ LANGUAGE plpgsql;
 
