@@ -152,80 +152,80 @@ EOF
152152 run_sql -c " update pg_extension set extowner = 'postgres'::regrole where extname = 'pgmq';"
153153 fi
154154
155- # If upgrading to pgsodium-less Vault, Wrappers need to be updated so that
156- # foreign servers use `vault.secrets.id` instead of `vault.secrets.key_id`
157- UPDATE_WRAPPERS_SERVER_OPTIONS_QUERY=$( cat << EOF
158- DO \$\$
159- DECLARE
160- server_rec RECORD;
161- option_rec RECORD;
162- vault_secrets RECORD;
163- BEGIN
164- IF EXISTS (SELECT FROM pg_available_extension_versions WHERE name = 'wrappers' AND version = '0.4.6')
165- AND EXISTS (SELECT FROM pg_extension WHERE extname = 'wrappers')
166- THEN
167- FOR server_rec IN
168- SELECT srvname, srvoptions
169- FROM pg_foreign_server
170- LOOP
171- FOR option_rec IN
172- SELECT split_part(srvoption, '=', 1) AS option_name, split_part(srvoption, '=', 2) AS option_value
173- FROM UNNEST(server_rec.srvoptions) AS srvoption
174- LOOP
175- IF EXISTS (SELECT FROM vault.secrets WHERE option_rec.option_value IN (id::text, key_id::text)) THEN
176- EXECUTE format(
177- 'ALTER SERVER %I OPTIONS (SET %I %L)',
178- server_rec.srvname,
179- option_rec.option_name,
180- (SELECT id FROM vault.secrets WHERE option_rec.option_value IN (id::text, key_id::text))
181- );
182- END IF;
183- END LOOP;
184- END LOOP;
185- END IF;
186- CREATE SCHEMA sentinel;
187- END;
188- \$\$ ;
189- EOF
190- )
191- run_sql -c " $UPDATE_WRAPPERS_SERVER_OPTIONS_QUERY "
192-
193- # Patch to handle upgrading to pgsodium-less Vault
194- REENCRYPT_VAULT_SECRETS_QUERY=$( cat << EOF
195- DO \$\$
196- BEGIN
197- IF EXISTS (SELECT FROM pg_available_extension_versions WHERE name = 'supabase_vault' AND version = '0.3.0')
198- AND EXISTS (SELECT FROM pg_extension WHERE extname = 'supabase_vault')
199- THEN
200- IF (SELECT extversion FROM pg_extension WHERE extname = 'supabase_vault') != '0.2.8' THEN
201- GRANT USAGE ON SCHEMA vault TO postgres WITH GRANT OPTION;
202- GRANT SELECT, DELETE ON vault.secrets, vault.decrypted_secrets TO postgres WITH GRANT OPTION;
203- GRANT EXECUTE ON FUNCTION vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt TO postgres WITH GRANT OPTION;
204- END IF;
205- -- Do an explicit IF EXISTS check to avoid referencing pgsodium objects if the project already migrated away from using pgsodium.
206- IF EXISTS (SELECT FROM vault.secrets WHERE key_id IS NOT NULL) THEN
207- UPDATE vault.secrets s
208- SET
209- secret = encode(
210- vault._crypto_aead_det_encrypt(
211- message := pgsodium.crypto_aead_det_decrypt(decode(s.secret, 'base64'), convert_to(s.id || s.description || s.created_at || s.updated_at, 'utf8'), s.key_id, s.nonce),
212- additional := convert_to(s.id::text, 'utf8'),
213- key_id := 0,
214- context := 'pgsodium'::bytea,
215- nonce := s.nonce
216- ),
217- 'base64'
218- ),
219- key_id = NULL
220- WHERE
221- key_id IS NOT NULL;
222- END IF;
223- END IF;
224- END
225- \$\$ ;
226- EOF
227- )
228- run_sql -c " $REENCRYPT_VAULT_SECRETS_QUERY "
155+ # # If upgrading to pgsodium-less Vault, Wrappers need to be updated so that
156+ # # foreign servers use `vault.secrets.id` instead of `vault.secrets.key_id`
157+ # UPDATE_WRAPPERS_SERVER_OPTIONS_QUERY=$(cat <<EOF
158+ # DO \$\$
159+ # DECLARE
160+ # server_rec RECORD;
161+ # option_rec RECORD;
162+ # vault_secrets RECORD;
163+ # BEGIN
164+ # IF EXISTS (SELECT FROM pg_available_extension_versions WHERE name = 'wrappers' AND version = '0.4.6')
165+ # AND EXISTS (SELECT FROM pg_extension WHERE extname = 'wrappers')
166+ # THEN
167+ # FOR server_rec IN
168+ # SELECT srvname, srvoptions
169+ # FROM pg_foreign_server
170+ # LOOP
171+ # FOR option_rec IN
172+ # SELECT split_part(srvoption, '=', 1) AS option_name, split_part(srvoption, '=', 2) AS option_value
173+ # FROM UNNEST(server_rec.srvoptions) AS srvoption
174+ # LOOP
175+ # IF EXISTS (SELECT FROM vault.secrets WHERE option_rec.option_value IN (id::text, key_id::text)) THEN
176+ # EXECUTE format(
177+ # 'ALTER SERVER %I OPTIONS (SET %I %L)',
178+ # server_rec.srvname,
179+ # option_rec.option_name,
180+ # (SELECT id FROM vault.secrets WHERE option_rec.option_value IN (id::text, key_id::text))
181+ # );
182+ # END IF;
183+ # END LOOP;
184+ # END LOOP;
185+ # END IF;
186+ # CREATE SCHEMA sentinel;
187+ # END;
188+ # \$\$;
189+ # EOF
190+ # )
191+ # run_sql -c "$UPDATE_WRAPPERS_SERVER_OPTIONS_QUERY"
192+
193+ # # Patch to handle upgrading to pgsodium-less Vault
194+ # REENCRYPT_VAULT_SECRETS_QUERY=$(cat <<EOF
195+ # DO \$\$
196+ # BEGIN
197+ # IF EXISTS (SELECT FROM pg_available_extension_versions WHERE name = 'supabase_vault' AND version = '0.3.0')
198+ # AND EXISTS (SELECT FROM pg_extension WHERE extname = 'supabase_vault')
199+ # THEN
200+ # IF (SELECT extversion FROM pg_extension WHERE extname = 'supabase_vault') != '0.2.8' THEN
201+ # GRANT USAGE ON SCHEMA vault TO postgres WITH GRANT OPTION;
202+ # GRANT SELECT, DELETE ON vault.secrets, vault.decrypted_secrets TO postgres WITH GRANT OPTION;
203+ # GRANT EXECUTE ON FUNCTION vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt TO postgres WITH GRANT OPTION;
204+ # END IF;
205+ # -- Do an explicit IF EXISTS check to avoid referencing pgsodium objects if the project already migrated away from using pgsodium.
206+ # IF EXISTS (SELECT FROM vault.secrets WHERE key_id IS NOT NULL) THEN
207+ # UPDATE vault.secrets s
208+ # SET
209+ # secret = encode(
210+ # vault._crypto_aead_det_encrypt(
211+ # message := pgsodium.crypto_aead_det_decrypt(decode(s.secret, 'base64'), convert_to(s.id || s.description || s.created_at || s.updated_at, 'utf8'), s.key_id, s.nonce),
212+ # additional := convert_to(s.id::text, 'utf8'),
213+ # key_id := 0,
214+ # context := 'pgsodium'::bytea,
215+ # nonce := s.nonce
216+ # ),
217+ # 'base64'
218+ # ),
219+ # key_id = NULL
220+ # WHERE
221+ # key_id IS NOT NULL;
222+ # END IF;
223+ # END IF;
224+ # END
225+ # \$\$;
226+ # EOF
227+ # )
228+ # run_sql -c "$REENCRYPT_VAULT_SECRETS_QUERY"
229229
230230 run_sql -c " grant pg_read_all_data, pg_signal_backend to postgres"
231231}
0 commit comments