feat: vault sans pgsodium

Author: soedirgo

ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh

@@ -150,6 +150,43 @@ EOF
 
         run_sql -c "$PATCH_PGMQ_QUERY"
         run_sql -c "update pg_extension set extowner = 'postgres'::regrole where extname = 'pgmq';"
+
+        # Patch to handle upgrading to pgsodium-less Vault
+        REENCRYPT_VAULT_SECRETS_QUERY=$(cat <<EOF
+        DO \$\$
+        BEGIN
+          IF EXISTS (SELECT FROM pg_available_extension_versions WHERE name = 'supabase_vault' AND version = '0.3.0')
+            AND EXISTS (SELECT FROM pg_extension WHERE extname = 'supabase_vault')
+          THEN
+            IF (SELECT extversion FROM pg_extension WHERE extname = 'supabase_vault') != '0.2.8' THEN
+              GRANT USAGE ON SCHEMA vault TO postgres WITH GRANT OPTION;
+              GRANT SELECT, DELETE ON vault.secrets, vault.decrypted_secrets TO postgres WITH GRANT OPTION;
+              GRANT EXECUTE ON FUNCTION vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt TO postgres WITH GRANT OPTION;
+            END IF;
+            -- Do an explicit IF EXISTS check to avoid referencing pgsodium objects if the project already migrated away from using pgsodium.
+            IF EXISTS (SELECT FROM vault.secrets WHERE key_id IS NOT NULL) THEN
+              UPDATE vault.secrets s
+              SET
+                secret = encode(
+                  vault._crypto_aead_det_encrypt(
+                    message := pgsodium.crypto_aead_det_decrypt(decode(s.secret, 'base64'), convert_to(s.id || s.description || s.created_at || s.updated_at, 'utf8'), s.key_id, s.nonce),
+                    additional := convert_to(s.id::text, 'utf8'),
+                    key_id := 0,
+                    context := 'pgsodium'::bytea,
+                    nonce := s.nonce
+                  ),
+                  'base64'
+                ),
+                key_id = NULL
+              WHERE
+                key_id IS NOT NULL;
+            END IF;
+          END IF;
+        END
+        \$\$;
+EOF
+        )
+        run_sql -c "$REENCRYPT_VAULT_SECRETS_QUERY"
     fi
 
     run_sql -c "grant pg_read_all_data, pg_signal_backend to postgres"

ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql

@@ -0,0 +1,3 @@
+grant usage on schema vault to postgres with grant option;
+grant select, delete on vault.secrets, vault.decrypted_secrets to postgres with grant option;
+grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to postgres with grant option;

ansible/files/sodium_extension.sql

@@ -8,8 +8,8 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.0.1.34-orioledb"
-  postgres15: "15.8.1.038"
+  postgresorioledb-17: "17.0.1.035-orioledb"
+  postgres15: "15.8.1.039"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"

ansible/vars.yml

@@ -17,7 +17,6 @@ BEGIN
         extension_array := ARRAY[
             'plpgsql',
             'pg_stat_statements',
-            'pgsodium',
             'pgtap',
             'pg_graphql',
             'pgcrypto',
@@ -30,7 +29,6 @@ BEGIN
         extension_array := ARRAY[
             'plpgsql',
             'pg_stat_statements',
-            'pgsodium',
             'pgtap',
             'pg_graphql',
             'pgcrypto',
@@ -44,7 +42,7 @@ BEGIN
     PERFORM set_config('myapp.extensions', array_to_string(extension_array, ','), false);
 END $$;
 
-SELECT plan(8);
+SELECT no_plan();
 
 SELECT extensions_are(
     string_to_array(current_setting('myapp.extensions'), ',')::text[]
@@ -56,9 +54,5 @@ SELECT has_schema('pg_catalog');
 SELECT has_schema('information_schema');
 SELECT has_schema('public');
 
-SELECT function_privs_are('pgsodium', 'crypto_aead_det_decrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
-SELECT function_privs_are('pgsodium', 'crypto_aead_det_encrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
-SELECT function_privs_are('pgsodium', 'crypto_aead_det_keygen', array[]::text[], 'service_role', array['EXECUTE']);
-
 SELECT * FROM finish();
-ROLLBACK;
+ROLLBACK;

ebssurrogate/files/unit-tests/unit-test-01.sql

@@ -0,0 +1,17 @@
+-- migrate:up
+
+DO $$
+BEGIN
+  IF EXISTS (select from pg_available_extensions where name = 'supabase_vault')
+  THEN
+    create extension if not exists supabase_vault;
+
+    -- for some reason extension custom scripts aren't run during AMI build, so
+    -- we manually run it here
+    grant usage on schema vault to postgres with grant option;
+    grant select, delete on vault.secrets, vault.decrypted_secrets to postgres with grant option;
+    grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to postgres with grant option;
+  END IF;
+END $$;
+
+-- migrate:down

migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql

@@ -4,7 +4,5 @@ ALTER ROLE authenticated inherit;
 ALTER ROLE anon inherit;
 ALTER ROLE service_role inherit;
 
-GRANT pgsodium_keyholder to service_role;
-
 -- migrate:down
 

migrations/db/migrations/20221207154255_create_vault.sql

@@ -2,10 +2,6 @@ SELECT database_privs_are(
     'postgres', 'postgres', ARRAY['CONNECT', 'TEMPORARY', 'CREATE']
 );
 
-SELECT function_privs_are('pgsodium', 'crypto_aead_det_decrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
-SELECT function_privs_are('pgsodium', 'crypto_aead_det_encrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
-SELECT function_privs_are('pgsodium', 'crypto_aead_det_keygen', array[]::text[], 'service_role', array['EXECUTE']);
-
 -- Verify public schema privileges
 SELECT schema_privs_are('public', 'postgres', array['CREATE', 'USAGE']);
 SELECT schema_privs_are('public', 'anon', array['USAGE']);

migrations/db/migrations/20230529180330_alter_api_roles_for_inherit.sql

@@ -1,23 +1,24 @@
-{ lib, stdenv, fetchFromGitHub, postgresql }:
+{ lib, stdenv, fetchFromGitHub, libsodium, postgresql }:
 
 stdenv.mkDerivation rec {
   pname = "vault";
-  version = "0.2.9";
+  version = "0.3.1";
 
-  buildInputs = [ postgresql ];
+  buildInputs = [ libsodium postgresql ];
 
   src = fetchFromGitHub {
     owner = "supabase";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-kXTngBW4K6FkZM8HvJG2Jha6OQqbejhnk7tchxy031I=";
+    hash = "sha256-MC87bqgtynnDhmNZAu96jvfCpsGDCPB0g5TZfRQHd30=";
   };
 
   installPhase = ''
     mkdir -p $out/{lib,share/postgresql/extension}
 
-    cp sql/*.sql $out/share/postgresql/extension
-    cp *.control $out/share/postgresql/extension
+    install -D *${postgresql.dlSuffix} $out/lib
+    install -D -t $out/share/postgresql/extension sql/*.sql
+    install -D -t $out/share/postgresql/extension *.control
   '';
 
   meta = with lib; {