@@ -965,10 +965,10 @@ index 0000000..e21cb68
965965+ }
966966diff --git a/sql/supabase_vault--0.2.8--0.3.0.sql b/sql/supabase_vault--0.2.8--0.3.0.sql
967967new file mode 100644
968- index 0000000..cb92b0f
968+ index 0000000..f120f5f
969969--- /dev/null
970970+++ b/sql/supabase_vault--0.2.8--0.3.0.sql
971- @@ -0,0 +1,134 @@
971+ @@ -0,0 +1,135 @@
972972+ CREATE OR REPLACE FUNCTION vault._crypto_aead_det_encrypt(message bytea, additional bytea, key_id bigint, context bytea = 'pgsodium', nonce bytea = NULL)
973973+ RETURNS bytea
974974+ AS 'MODULE_PATHNAME', 'pgsodium_crypto_aead_det_encrypt_by_id'
@@ -984,37 +984,38 @@ index 0000000..cb92b0f
984984+ AS 'MODULE_PATHNAME', 'pgsodium_crypto_aead_det_noncegen'
985985+ LANGUAGE c IMMUTABLE;
986986+
987- + DO $$
988- + BEGIN
989- + SET search_path = '';
987+ + SECURITY LABEL ON COLUMN vault.secrets.secret IS NULL;
990988+
991- + SECURITY LABEL ON COLUMN vault.secrets.secret IS NULL;
989+ + DROP TRIGGER IF EXISTS secrets_encrypt_secret_trigger_secret ON vault.secrets;
990+ + DROP FUNCTION IF EXISTS vault.secrets_encrypt_secret_secret;
992991+
993- + DROP TRIGGER IF EXISTS secrets_encrypt_secret_trigger_secret ON vault.secrets ;
994- +
995- + DROP FUNCTION IF EXISTS vault.secrets_encrypt_secret_secret ;
992+ + ALTER TABLE vault.secrets DROP CONSTRAINT IF EXISTS secrets_key_id_fkey ;
993+ + ALTER TABLE vault.secrets ALTER key_id DROP DEFAULT;
994+ + ALTER TABLE vault.secrets ALTER nonce SET DEFAULT vault._crypto_aead_det_noncegen() ;
996995+
997- + ALTER TABLE vault.secrets DROP CONSTRAINT IF EXISTS secrets_key_id_fkey;
996+ + DO $$
997+ + BEGIN
998+ + SET search_path = '';
998999+
9991000+ IF EXISTS (SELECT FROM vault.secrets) THEN
10001001+ UPDATE vault.decrypted_secrets s
10011002+ SET
1002- + secret = encode(vault._crypto_aead_det_encrypt(
1003- + message := convert_to(decrypted_secret, 'utf8'),
1004- + additional := convert_to(s.id || s.description || (s.created_at at time zone 'utc') || (s.updated_at at time zone 'utc'), 'utf8'),
1005- + key_id := 0,
1006- + context := 'pgsodium'::bytea,
1007- + nonce := s.nonce
1008- + ), 'base64'),
1009- + key_id = '00000000-0000-0000-0000-000000000000';
1003+ + secret = encode(
1004+ + vault._crypto_aead_det_encrypt(
1005+ + message := convert_to(decrypted_secret, 'utf8'),
1006+ + additional := convert_to(s.id || s.description || (s.created_at at time zone 'utc') || (s.updated_at at time zone 'utc'), 'utf8'),
1007+ + key_id := 0,
1008+ + context := 'pgsodium'::bytea,
1009+ + nonce := s.nonce
1010+ + ),
1011+ + 'base64'
1012+ + ),
1013+ + key_id = NULL;
10101014+ END IF;
1011- +
1012- + DROP VIEW IF EXISTS vault.decrypted_secrets;
10131015+ END
10141016+ $$;
10151017+
1016- + ALTER TABLE vault.secrets ALTER nonce SET DEFAULT vault._crypto_aead_det_noncegen();
1017- +
1018+ + DROP VIEW IF EXISTS vault.decrypted_secrets;
10181019+ CREATE VIEW vault.decrypted_secrets AS
10191020+ SELECT s.id,
10201021+ s.name,
@@ -1103,6 +1104,18 @@ index 0000000..cb92b0f
11031104+ WHERE s.id = secret_id;
11041105+ END
11051106+ $$;
1107+ diff --git a/sql/supabase_vault--0.2.8.sql b/sql/supabase_vault--0.2.8.sql
1108+ index ee40004..8973fe0 100644
1109+ --- a/sql/supabase_vault--0.2.8.sql
1110+ +++ b/sql/supabase_vault--0.2.8.sql
1111+ @@ -8,7 +8,6 @@ CREATE TABLE vault.secrets (
1112+ created_at timestamptz NOT NULL DEFAULT CURRENT_TIMESTAMP,
1113+ updated_at timestamptz NOT NULL DEFAULT CURRENT_TIMESTAMP
1114+ );
1115+ - ALTER TABLE vault.secrets OWNER TO session_user;
1116+
1117+ COMMENT ON TABLE vault.secrets IS 'Table with encrypted `secret` column for storing sensitive information on disk.';
1118+
11061119diff --git a/src/crypto_aead_det_xchacha20.c b/src/crypto_aead_det_xchacha20.c
11071120new file mode 100644
11081121index 0000000..8b7df0e
0 commit comments