chore: add safeguards when enabling Vaault

dragarcia · dragarcia · commit 5b1e603c68bd · 2023-04-06T14:53:06.000+08:00
diff --git a/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql b/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql
@@ -10,6 +10,23 @@ grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, b
 grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role;
 grant execute on function pgsodium.crypto_aead_det_keygen to service_role;
 
-create extension if not exists supabase_vault;
+-- Only install as well if the extension is actually installed
+DO $$
+DECLARE
+  vault_exists boolean;
+BEGIN
+  vault_exists = (
+      select count(*) = 1 
+      from pg_available_extensions 
+      where name = 'supabase_vault'
+  );
+
+  IF vault_exists 
+  THEN
+  create extension if not exists supabase_vault;
+  END IF;
+END $$;
+
+
 
 -- migrate:down
diff --git a/migrations/schema.sql b/migrations/schema.sql
@@ -78,14 +78,6 @@ CREATE SCHEMA realtime;
 
 CREATE SCHEMA storage;
 
-
---
--- Name: vault; Type: SCHEMA; Schema: -; Owner: -
---
-
-CREATE SCHEMA vault;
-
-
 --
 -- Name: pg_graphql; Type: EXTENSION; Schema: -; Owner: -
 --
@@ -141,19 +133,43 @@ CREATE EXTENSION IF NOT EXISTS pgjwt WITH SCHEMA extensions;
 
 COMMENT ON EXTENSION pgjwt IS 'JSON Web Token API for Postgresql';
 
-
 --
--- Name: supabase_vault; Type: EXTENSION; Schema: -; Owner: -
 --
+--
+
+DO $$
+DECLARE
+  vault_exists boolean;
+BEGIN
+  vault_exists = (
+      select count(*) = 1 
+      from pg_available_extensions 
+      where name = 'supabase_vault'
+  );
 
-CREATE EXTENSION IF NOT EXISTS supabase_vault WITH SCHEMA vault;
+  IF vault_exists 
+  THEN
+  
+  --
+  -- Name: vault; Type: SCHEMA; Schema: -; Owner: -
+  --
 
+  CREATE SCHEMA vault;
+  --
+  -- Name: supabase_vault; Type: EXTENSION; Schema: -; Owner: -
+  --
 
---
--- Name: EXTENSION supabase_vault; Type: COMMENT; Schema: -; Owner: -
---
+  CREATE EXTENSION IF NOT EXISTS supabase_vault WITH SCHEMA vault;
+
+
+  --
+  -- Name: EXTENSION supabase_vault; Type: COMMENT; Schema: -; Owner: -
+  --
+
+  COMMENT ON EXTENSION supabase_vault IS 'Supabase Vault Extension';
 
-COMMENT ON EXTENSION supabase_vault IS 'Supabase Vault Extension';
+  END IF;
+END $$;
 
 
 --
@@ -577,23 +593,38 @@ $$;
 -- Name: secrets_encrypt_secret_secret(); Type: FUNCTION; Schema: vault; Owner: -
 --
 
-CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger
-    LANGUAGE plpgsql
-    AS $$
-		BEGIN
-		        new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE
-			CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode(
-			  pgsodium.crypto_aead_det_encrypt(
-				pg_catalog.convert_to(new.secret, 'utf8'),
-				pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'),
-				new.key_id::uuid,
-				new.nonce
-			  ),
-				'base64') END END;
-		RETURN new;
-		END;
-		$$;
+DO $$
+DECLARE
+  vault_exists boolean;
+BEGIN
+  vault_exists = (
+      select count(*) = 1 
+      from pg_available_extensions 
+      where name = 'supabase_vault'
+  );
+
+  IF vault_exists 
+  THEN
+  
+    CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger
+        LANGUAGE plpgsql
+        AS $$
+            BEGIN
+                    new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE
+                CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode(
+                pgsodium.crypto_aead_det_encrypt(
+                    pg_catalog.convert_to(new.secret, 'utf8'),
+                    pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'),
+                    new.key_id::uuid,
+                    new.nonce
+                ),
+                    'base64') END END;
+            RETURN new;
+            END;
+            $$;
 
+  END IF;
+END $$;
 
 SET default_tablespace = '';
 
@@ -785,25 +816,40 @@ CREATE TABLE storage.objects (
 -- Name: decrypted_secrets; Type: VIEW; Schema: vault; Owner: -
 --
 
-CREATE VIEW vault.decrypted_secrets AS
- SELECT secrets.id,
-    secrets.name,
-    secrets.description,
-    secrets.secret,
-        CASE
-            WHEN (secrets.secret IS NULL) THEN NULL::text
-            ELSE
+DO $$
+DECLARE
+  vault_exists boolean;
+BEGIN
+  vault_exists = (
+      select count(*) = 1 
+      from pg_available_extensions 
+      where name = 'supabase_vault'
+  );
+
+  IF vault_exists 
+  THEN
+  
+    CREATE VIEW vault.decrypted_secrets AS
+    SELECT secrets.id,
+        secrets.name,
+        secrets.description,
+        secrets.secret,
             CASE
-                WHEN (secrets.key_id IS NULL) THEN NULL::text
-                ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secrets.secret, 'base64'::text), convert_to(((((secrets.id)::text || secrets.description) || (secrets.created_at)::text) || (secrets.updated_at)::text), 'utf8'::name), secrets.key_id, secrets.nonce), 'utf8'::name)
-            END
-        END AS decrypted_secret,
-    secrets.key_id,
-    secrets.nonce,
-    secrets.created_at,
-    secrets.updated_at
-   FROM vault.secrets;
+                WHEN (secrets.secret IS NULL) THEN NULL::text
+                ELSE
+                CASE
+                    WHEN (secrets.key_id IS NULL) THEN NULL::text
+                    ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secrets.secret, 'base64'::text), convert_to(((((secrets.id)::text || secrets.description) || (secrets.created_at)::text) || (secrets.updated_at)::text), 'utf8'::name), secrets.key_id, secrets.nonce), 'utf8'::name)
+                END
+            END AS decrypted_secret,
+        secrets.key_id,
+        secrets.nonce,
+        secrets.created_at,
+        secrets.updated_at
+    FROM vault.secrets;
 
+  END IF;
+END $$;
 
 --
 -- Name: refresh_tokens id; Type: DEFAULT; Schema: auth; Owner: -
