Granular errors on encrypted columnb constraint

tobyhede · tobyhede · commit cfe8d120a7e7 · 2024-10-30T17:09:56.000+11:00
diff --git a/sql/010-core.sql b/sql/010-core.sql
@@ -14,17 +14,88 @@ BEGIN
 END
 $$;
 
-DROP FUNCTION IF EXISTS _cs_encrypted_check_kind(jsonb);
-
-CREATE FUNCTION _cs_encrypted_check_kind(val jsonb)
-  RETURNS BOOLEAN
-LANGUAGE sql IMMUTABLE STRICT PARALLEL SAFE
-BEGIN ATOMIC
-  RETURN (
-    (val->>'k' = 'ct' AND val ? 'c') OR
-    (val->>'k' = 'sv' AND val ? 'sv')
-  ) AND NOT val ? 'p';
-END;
+--
+-- CT payload should include a c field
+--
+DROP FUNCTION IF EXISTS _cs_encrypted_check_k_ct(jsonb);
+CREATE FUNCTION _cs_encrypted_check_k_ct(val jsonb)
+  RETURNS boolean
+AS $$
+	BEGIN
+    IF (val->>'k' = 'ct' AND val ? 'c') THEN
+      RETURN true;
+    END IF;
+    RAISE 'Encrypted kind (k) of "ct" missing data field (c):  %', val;
+  END;
+$$ LANGUAGE plpgsql;
+
+--
+-- SV payload should include an sv field
+--
+DROP FUNCTION IF EXISTS _cs_encrypted_check_k_sv(jsonb);
+CREATE FUNCTION _cs_encrypted_check_k_sv(val jsonb)
+  RETURNS boolean
+AS $$
+	BEGIN
+    IF (val->>'k' = 'sv' AND val ? 'sv') THEN
+      RETURN true;
+    END IF;
+    RAISE 'Encrypted kind (k) of "sv" missing data field (sv):  %', val;
+  END;
+$$ LANGUAGE plpgsql;
+
+
+-- Plaintext field should never be present in an encrypted column
+DROP FUNCTION IF EXISTS _cs_encrypted_check_p(jsonb);
+CREATE FUNCTION _cs_encrypted_check_p(val jsonb)
+  RETURNS boolean
+AS $$
+	BEGIN
+    IF NOT val ? 'p' THEN
+      RETURN true;
+    END IF;
+    RAISE 'Encrypted includes plaintext (p) field: %', val;
+  END;
+$$ LANGUAGE plpgsql;
+
+-- Should include an ident field
+DROP FUNCTION IF EXISTS _cs_encrypted_check_i(jsonb);
+CREATE FUNCTION _cs_encrypted_check_i(val jsonb)
+  RETURNS boolean
+AS $$
+	BEGIN
+    IF val ? 'i' THEN
+      RETURN true;
+    END IF;
+    RAISE 'Encrypted missing ident (i) field: %', val;
+  END;
+$$ LANGUAGE plpgsql;
+
+-- Should include an ident field
+DROP FUNCTION IF EXISTS _cs_encrypted_check_i_ct(jsonb);
+CREATE FUNCTION _cs_encrypted_check_i_ct(val jsonb)
+  RETURNS boolean
+AS $$
+	BEGIN
+    IF (val->'i' ?& array['t', 'c']) THEN
+      RETURN true;
+    END IF;
+    RAISE 'Encrypted ident (i) missing table (t) or column (c) fields: %', val;
+  END;
+$$ LANGUAGE plpgsql;
+
+-- Should include an ident field
+DROP FUNCTION IF EXISTS _cs_encrypted_check_v(jsonb);
+CREATE FUNCTION _cs_encrypted_check_v(val jsonb)
+  RETURNS boolean
+AS $$
+	BEGIN
+    IF (val ? 'v') THEN
+      RETURN true;
+    END IF;
+    RAISE 'Encrypted missing version (v) field: %', val;
+  END;
+$$ LANGUAGE plpgsql;
 
 
 DROP FUNCTION IF EXISTS cs_check_encrypted_v1(val jsonb);
@@ -34,14 +105,11 @@ CREATE FUNCTION cs_check_encrypted_v1(val jsonb)
 LANGUAGE sql IMMUTABLE STRICT PARALLEL SAFE
 BEGIN ATOMIC
     RETURN (
-          -- version and source are required
-      val ?& array['v'] AND
-
-      -- table and column
-      val->'i' ?& array['t', 'c'] AND
-
-      -- plaintext or ciphertext for kind
-      _cs_encrypted_check_kind(val)
+      _cs_encrypted_check_v(val) AND
+      _cs_encrypted_check_i(val) AND
+      _cs_encrypted_check_k_ct(val) AND
+      _cs_encrypted_check_k_sv(val) AND
+      _cs_encrypted_check_p(val)
     );
 END;
 
