Skip to content

Commit 06b007e

Browse files
soedirgosoedirgo
committed
chore: update vault tests to test for intended behavior
1 parent b32c85f commit 06b007e

File tree

2 files changed

+187
-50
lines changed

2 files changed

+187
-50
lines changed

nix/tests/expected/vault.out

Lines changed: 119 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
SET ROLE service_role;
1+
SET ROLE postgres;
22
SELECT EXISTS (
33
SELECT 1 FROM vault.create_secret('my_s3kre3t')
44
) AS can_create_secret;
@@ -27,44 +27,54 @@ SELECT EXISTS (
2727
t
2828
(1 row)
2929

30-
INSERT INTO vault.secrets (secret)
31-
VALUES ('s3kre3t_k3y')
32-
RETURNING EXISTS (
33-
SELECT 1
34-
) AS can_insert_into_secrets;
35-
ERROR: permission denied for function _crypto_aead_det_noncegen
30+
DO $$
31+
BEGIN
32+
INSERT INTO vault.secrets (secret)
33+
VALUES ('s3kre3t_k3y');
34+
EXCEPTION WHEN insufficient_privilege THEN RETURN;
35+
RAISE EXCEPTION 'should not be able to insert into vault.secrets';
36+
END;
37+
$$ LANGUAGE PLPGSQL;
3638
SELECT EXISTS (
37-
SELECT name, description FROM vault.decrypted_secrets LIMIT 1
39+
SELECT * FROM vault.decrypted_secrets LIMIT 1
3840
) AS can_select_from_decrypted_secrets;
3941
can_select_from_decrypted_secrets
4042
-----------------------------------
4143
t
4244
(1 row)
4345

44-
INSERT INTO vault.secrets (secret) VALUES ('temp_secret_to_delete');
45-
ERROR: permission denied for function _crypto_aead_det_noncegen
46+
SELECT vault.create_secret('s', new_name := 'temp_secret_to_delete') IS NOT NULL;
47+
?column?
48+
----------
49+
t
50+
(1 row)
51+
4652
WITH deleted AS (
47-
DELETE FROM vault.secrets
48-
WHERE secret = 'temp_secret_to_delete'
53+
DELETE FROM vault.secrets
54+
WHERE name = 'temp_secret_to_delete'
4955
RETURNING 1
5056
)
5157
SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_secrets;
5258
can_delete_from_secrets
5359
-------------------------
54-
f
60+
t
61+
(1 row)
62+
63+
SELECT vault.create_secret('temp_secret_to_delete_from_decrypted') IS NOT NULL;
64+
?column?
65+
----------
66+
t
5567
(1 row)
5668

57-
INSERT INTO vault.secrets (secret) VALUES ('temp_secret_to_delete_from_decrypted');
58-
ERROR: permission denied for function _crypto_aead_det_noncegen
5969
WITH deleted AS (
6070
DELETE FROM vault.decrypted_secrets
61-
WHERE secret = 'temp_secret_to_delete_from_decrypted'
71+
WHERE decrypted_secret = 'temp_secret_to_delete_from_decrypted'
6272
RETURNING 1
6373
)
6474
SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_decrypted_secrets;
6575
can_delete_from_decrypted_secrets
6676
-----------------------------------
67-
f
77+
t
6878
(1 row)
6979

7080
WITH secret_id AS (
@@ -81,20 +91,101 @@ SELECT EXISTS (
8191
t
8292
(1 row)
8393

84-
WITH encrypted_value AS (
85-
SELECT secret FROM vault.secrets ORDER BY created_at DESC LIMIT 1
94+
SET ROLE service_role;
95+
SELECT EXISTS (
96+
SELECT 1 FROM vault.create_secret('my_s3kre3t')
97+
) AS can_create_secret;
98+
can_create_secret
99+
-------------------
100+
t
101+
(1 row)
102+
103+
SELECT EXISTS (
104+
SELECT 1 FROM vault.create_secret(
105+
'another_s3kre3t',
106+
'unique_name',
107+
'This is the description'
108+
)
109+
) AS can_create_secret_with_params;
110+
ERROR: duplicate key value violates unique constraint "secrets_name_idx"
111+
DETAIL: Key (name)=(unique_name) already exists.
112+
CONTEXT: SQL statement "INSERT INTO vault.secrets (secret, name, description)
113+
VALUES (
114+
new_secret,
115+
new_name,
116+
new_description
117+
)
118+
RETURNING *"
119+
PL/pgSQL function vault.create_secret(text,text,text,uuid) line 5 at SQL statement
120+
SELECT EXISTS (
121+
SELECT 1 FROM vault.secrets LIMIT 1
122+
) AS can_select_from_secrets;
123+
can_select_from_secrets
124+
-------------------------
125+
t
126+
(1 row)
127+
128+
DO $$
129+
BEGIN
130+
INSERT INTO vault.secrets (secret)
131+
VALUES ('s3kre3t_k3y');
132+
EXCEPTION WHEN insufficient_privilege THEN RETURN;
133+
RAISE EXCEPTION 'should not be able to insert into vault.secrets';
134+
END;
135+
$$ LANGUAGE PLPGSQL;
136+
SELECT EXISTS (
137+
SELECT name, description FROM vault.decrypted_secrets LIMIT 1
138+
) AS can_select_from_decrypted_secrets;
139+
can_select_from_decrypted_secrets
140+
-----------------------------------
141+
t
142+
(1 row)
143+
144+
SELECT vault.create_secret('', new_name := 'temp_secret_to_delete') IS NOT NULL;
145+
?column?
146+
----------
147+
t
148+
(1 row)
149+
150+
WITH deleted AS (
151+
DELETE FROM vault.secrets
152+
WHERE name = 'temp_secret_to_delete'
153+
RETURNING 1
154+
)
155+
SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_secrets;
156+
can_delete_from_secrets
157+
-------------------------
158+
t
159+
(1 row)
160+
161+
SELECT vault.create_secret('temp_secret_to_delete_from_decrypted') IS NOT NULL;
162+
?column?
163+
----------
164+
t
165+
(1 row)
166+
167+
WITH deleted AS (
168+
DELETE FROM vault.decrypted_secrets
169+
WHERE decrypted_secret = 'temp_secret_to_delete_from_decrypted'
170+
RETURNING 1
171+
)
172+
SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_decrypted_secrets;
173+
can_delete_from_decrypted_secrets
174+
-----------------------------------
175+
t
176+
(1 row)
177+
178+
WITH secret_id AS (
179+
SELECT id FROM vault.secrets ORDER BY created_at DESC LIMIT 1
86180
)
87181
SELECT EXISTS (
88-
SELECT 1 FROM vault._crypto_aead_det_decrypt(
89-
decode((SELECT secret FROM encrypted_value), 'base64'),
90-
convert_to((SELECT id FROM vault.secrets ORDER BY created_at DESC LIMIT 1)::text, 'utf8'),
91-
0,
92-
'pgsodium'::bytea,
93-
(SELECT nonce FROM vault.secrets ORDER BY created_at DESC LIMIT 1)
182+
SELECT 1 FROM vault.update_secret(
183+
(SELECT id FROM secret_id),
184+
'updated_secret'
94185
)
95-
) AS can_decrypt;
96-
can_decrypt
97-
-------------
186+
) AS can_update_secret;
187+
can_update_secret
188+
-------------------
98189
t
99190
(1 row)
100191

nix/tests/sql/vault.sql

Lines changed: 68 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
SET ROLE service_role;
1+
SET ROLE postgres;
22

33
SELECT EXISTS (
44
SELECT 1 FROM vault.create_secret('my_s3kre3t')
@@ -16,29 +16,31 @@ SELECT EXISTS (
1616
SELECT 1 FROM vault.secrets LIMIT 1
1717
) AS can_select_from_secrets;
1818

19-
INSERT INTO vault.secrets (secret)
20-
VALUES ('s3kre3t_k3y')
21-
RETURNING EXISTS (
22-
SELECT 1
23-
) AS can_insert_into_secrets;
19+
DO $$
20+
BEGIN
21+
INSERT INTO vault.secrets (secret)
22+
VALUES ('s3kre3t_k3y');
23+
EXCEPTION WHEN insufficient_privilege THEN RETURN;
24+
RAISE EXCEPTION 'should not be able to insert into vault.secrets';
25+
END;
26+
$$ LANGUAGE PLPGSQL;
2427

2528
SELECT EXISTS (
26-
SELECT name, description FROM vault.decrypted_secrets LIMIT 1
29+
SELECT * FROM vault.decrypted_secrets LIMIT 1
2730
) AS can_select_from_decrypted_secrets;
2831

29-
INSERT INTO vault.secrets (secret) VALUES ('temp_secret_to_delete');
30-
32+
SELECT vault.create_secret('s', new_name := 'temp_secret_to_delete') IS NOT NULL;
3133
WITH deleted AS (
32-
DELETE FROM vault.secrets
33-
WHERE secret = 'temp_secret_to_delete'
34+
DELETE FROM vault.secrets
35+
WHERE name = 'temp_secret_to_delete'
3436
RETURNING 1
3537
)
3638
SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_secrets;
3739

38-
INSERT INTO vault.secrets (secret) VALUES ('temp_secret_to_delete_from_decrypted');
40+
SELECT vault.create_secret('temp_secret_to_delete_from_decrypted') IS NOT NULL;
3941
WITH deleted AS (
4042
DELETE FROM vault.decrypted_secrets
41-
WHERE secret = 'temp_secret_to_delete_from_decrypted'
43+
WHERE decrypted_secret = 'temp_secret_to_delete_from_decrypted'
4244
RETURNING 1
4345
)
4446
SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_decrypted_secrets;
@@ -53,17 +55,61 @@ SELECT EXISTS (
5355
)
5456
) AS can_update_secret;
5557

56-
WITH encrypted_value AS (
57-
SELECT secret FROM vault.secrets ORDER BY created_at DESC LIMIT 1
58+
SET ROLE service_role;
59+
60+
SELECT EXISTS (
61+
SELECT 1 FROM vault.create_secret('my_s3kre3t')
62+
) AS can_create_secret;
63+
64+
SELECT EXISTS (
65+
SELECT 1 FROM vault.create_secret(
66+
'another_s3kre3t',
67+
'unique_name',
68+
'This is the description'
69+
)
70+
) AS can_create_secret_with_params;
71+
72+
SELECT EXISTS (
73+
SELECT 1 FROM vault.secrets LIMIT 1
74+
) AS can_select_from_secrets;
75+
76+
DO $$
77+
BEGIN
78+
INSERT INTO vault.secrets (secret)
79+
VALUES ('s3kre3t_k3y');
80+
EXCEPTION WHEN insufficient_privilege THEN RETURN;
81+
RAISE EXCEPTION 'should not be able to insert into vault.secrets';
82+
END;
83+
$$ LANGUAGE PLPGSQL;
84+
85+
SELECT EXISTS (
86+
SELECT name, description FROM vault.decrypted_secrets LIMIT 1
87+
) AS can_select_from_decrypted_secrets;
88+
89+
SELECT vault.create_secret('', new_name := 'temp_secret_to_delete') IS NOT NULL;
90+
WITH deleted AS (
91+
DELETE FROM vault.secrets
92+
WHERE name = 'temp_secret_to_delete'
93+
RETURNING 1
94+
)
95+
SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_secrets;
96+
97+
SELECT vault.create_secret('temp_secret_to_delete_from_decrypted') IS NOT NULL;
98+
WITH deleted AS (
99+
DELETE FROM vault.decrypted_secrets
100+
WHERE decrypted_secret = 'temp_secret_to_delete_from_decrypted'
101+
RETURNING 1
102+
)
103+
SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_decrypted_secrets;
104+
105+
WITH secret_id AS (
106+
SELECT id FROM vault.secrets ORDER BY created_at DESC LIMIT 1
58107
)
59108
SELECT EXISTS (
60-
SELECT 1 FROM vault._crypto_aead_det_decrypt(
61-
decode((SELECT secret FROM encrypted_value), 'base64'),
62-
convert_to((SELECT id FROM vault.secrets ORDER BY created_at DESC LIMIT 1)::text, 'utf8'),
63-
0,
64-
'pgsodium'::bytea,
65-
(SELECT nonce FROM vault.secrets ORDER BY created_at DESC LIMIT 1)
109+
SELECT 1 FROM vault.update_secret(
110+
(SELECT id FROM secret_id),
111+
'updated_secret'
66112
)
67-
) AS can_decrypt;
113+
) AS can_update_secret;
68114

69115
RESET ROLE;

0 commit comments

Comments
 (0)