tmp

soedirgo · soedirgo · commit 07ec6a0bb992 · 2025-04-16T16:54:00.000+08:00
diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh
@@ -152,86 +152,86 @@ EOF
         run_sql -c "update pg_extension set extowner = 'postgres'::regrole where extname = 'pgmq';"
     fi
 
-    # If upgrading to pgsodium-less Vault, Wrappers need to be updated so that
-    # foreign servers use `vault.secrets.id` instead of `vault.secrets.key_id`
-    UPDATE_WRAPPERS_SERVER_OPTIONS_QUERY=$(cat <<EOF
-  DO \$\$
-  DECLARE
-    server_rec RECORD;
-    option_rec RECORD;
-    vault_secrets RECORD;
-  BEGIN
-    IF EXISTS (SELECT FROM pg_available_extension_versions WHERE name = 'wrappers' AND version = '0.4.6')
-      AND EXISTS (SELECT FROM pg_extension WHERE extname = 'wrappers')
-    THEN
-      FOR server_rec IN
-        SELECT srvname, srvoptions
-        FROM pg_foreign_server
-      LOOP
-        FOR option_rec IN
-          SELECT split_part(srvoption, '=', 1) AS option_name, split_part(srvoption, '=', 2) AS option_value
-          FROM UNNEST(server_rec.srvoptions) AS srvoption
-        LOOP
-          IF EXISTS (SELECT FROM vault.secrets WHERE option_rec.option_value IN (id::text, key_id::text)) THEN
-            RAISE WARNING '%', format(
-              'ALTER SERVER %I OPTIONS (SET %I %L)',
-              server_rec.srvname,
-              option_rec.option_name,
-              (SELECT id FROM vault.secrets WHERE option_rec.option_value IN (id::text, key_id::text))
-            );
-            EXECUTE format(
-              'ALTER SERVER %I OPTIONS (SET %I %L)',
-              server_rec.srvname,
-              option_rec.option_name,
-              (SELECT id FROM vault.secrets WHERE option_rec.option_value IN (id::text, key_id::text))
-            );
-          END IF;
-        END LOOP;
-      END LOOP;
-    END IF;
-  END;
-  \$\$;
-EOF
-    )
-    run_sql -c "$UPDATE_WRAPPERS_SERVER_OPTIONS_QUERY"
-
-    # Patch to handle upgrading to pgsodium-less Vault
-    REENCRYPT_VAULT_SECRETS_QUERY=$(cat <<EOF
-    DO \$\$
-    BEGIN
-      IF EXISTS (SELECT FROM pg_available_extension_versions WHERE name = 'supabase_vault' AND version = '0.3.0')
-        AND EXISTS (SELECT FROM pg_extension WHERE extname = 'supabase_vault')
-      THEN
-        IF (SELECT extversion FROM pg_extension WHERE extname = 'supabase_vault') != '0.2.8' THEN
-          GRANT USAGE ON SCHEMA vault TO postgres WITH GRANT OPTION;
-          GRANT SELECT, DELETE ON vault.secrets, vault.decrypted_secrets TO postgres WITH GRANT OPTION;
-          GRANT EXECUTE ON FUNCTION vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt TO postgres WITH GRANT OPTION;
-        END IF;
-        -- Do an explicit IF EXISTS check to avoid referencing pgsodium objects if the project already migrated away from using pgsodium.
-        IF EXISTS (SELECT FROM vault.secrets WHERE key_id IS NOT NULL) THEN
-          UPDATE vault.secrets s
-          SET
-            secret = encode(
-              vault._crypto_aead_det_encrypt(
-                message := pgsodium.crypto_aead_det_decrypt(decode(s.secret, 'base64'), convert_to(s.id || s.description || s.created_at || s.updated_at, 'utf8'), s.key_id, s.nonce),
-                additional := convert_to(s.id::text, 'utf8'),
-                key_id := 0,
-                context := 'pgsodium'::bytea,
-                nonce := s.nonce
-              ),
-              'base64'
-            ),
-            key_id = NULL
-          WHERE
-            key_id IS NOT NULL;
-        END IF;
-      END IF;
-    END
-    \$\$;
-EOF
-    )
-    run_sql -c "$REENCRYPT_VAULT_SECRETS_QUERY"
-    exit 1
+#     # If upgrading to pgsodium-less Vault, Wrappers need to be updated so that
+#     # foreign servers use `vault.secrets.id` instead of `vault.secrets.key_id`
+#     UPDATE_WRAPPERS_SERVER_OPTIONS_QUERY=$(cat <<EOF
+#   DO \$\$
+#   DECLARE
+#     server_rec RECORD;
+#     option_rec RECORD;
+#     vault_secrets RECORD;
+#   BEGIN
+#     IF EXISTS (SELECT FROM pg_available_extension_versions WHERE name = 'wrappers' AND version = '0.4.6')
+#       AND EXISTS (SELECT FROM pg_extension WHERE extname = 'wrappers')
+#     THEN
+#       FOR server_rec IN
+#         SELECT srvname, srvoptions
+#         FROM pg_foreign_server
+#       LOOP
+#         FOR option_rec IN
+#           SELECT split_part(srvoption, '=', 1) AS option_name, split_part(srvoption, '=', 2) AS option_value
+#           FROM UNNEST(server_rec.srvoptions) AS srvoption
+#         LOOP
+#           IF EXISTS (SELECT FROM vault.secrets WHERE option_rec.option_value IN (id::text, key_id::text)) THEN
+#             RAISE WARNING '%', format(
+#               'ALTER SERVER %I OPTIONS (SET %I %L)',
+#               server_rec.srvname,
+#               option_rec.option_name,
+#               (SELECT id FROM vault.secrets WHERE option_rec.option_value IN (id::text, key_id::text))
+#             );
+#             EXECUTE format(
+#               'ALTER SERVER %I OPTIONS (SET %I %L)',
+#               server_rec.srvname,
+#               option_rec.option_name,
+#               (SELECT id FROM vault.secrets WHERE option_rec.option_value IN (id::text, key_id::text))
+#             );
+#           END IF;
+#         END LOOP;
+#       END LOOP;
+#     END IF;
+#   END;
+#   \$\$;
+# EOF
+#     )
+#     run_sql -c "$UPDATE_WRAPPERS_SERVER_OPTIONS_QUERY"
+
+#     # Patch to handle upgrading to pgsodium-less Vault
+#     REENCRYPT_VAULT_SECRETS_QUERY=$(cat <<EOF
+#     DO \$\$
+#     BEGIN
+#       IF EXISTS (SELECT FROM pg_available_extension_versions WHERE name = 'supabase_vault' AND version = '0.3.0')
+#         AND EXISTS (SELECT FROM pg_extension WHERE extname = 'supabase_vault')
+#       THEN
+#         IF (SELECT extversion FROM pg_extension WHERE extname = 'supabase_vault') != '0.2.8' THEN
+#           GRANT USAGE ON SCHEMA vault TO postgres WITH GRANT OPTION;
+#           GRANT SELECT, DELETE ON vault.secrets, vault.decrypted_secrets TO postgres WITH GRANT OPTION;
+#           GRANT EXECUTE ON FUNCTION vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt TO postgres WITH GRANT OPTION;
+#         END IF;
+#         -- Do an explicit IF EXISTS check to avoid referencing pgsodium objects if the project already migrated away from using pgsodium.
+#         IF EXISTS (SELECT FROM vault.secrets WHERE key_id IS NOT NULL) THEN
+#           UPDATE vault.secrets s
+#           SET
+#             secret = encode(
+#               vault._crypto_aead_det_encrypt(
+#                 message := pgsodium.crypto_aead_det_decrypt(decode(s.secret, 'base64'), convert_to(s.id || s.description || s.created_at || s.updated_at, 'utf8'), s.key_id, s.nonce),
+#                 additional := convert_to(s.id::text, 'utf8'),
+#                 key_id := 0,
+#                 context := 'pgsodium'::bytea,
+#                 nonce := s.nonce
+#               ),
+#               'base64'
+#             ),
+#             key_id = NULL
+#           WHERE
+#             key_id IS NOT NULL;
+#         END IF;
+#       END IF;
+#     END
+#     \$\$;
+# EOF
+#     )
+#     run_sql -c "$REENCRYPT_VAULT_SECRETS_QUERY"
+#     exit 1
 
     run_sql -c "grant pg_read_all_data, pg_signal_backend to postgres"
 }
