chore: proposed additions to vault regress tests

samrose · samrose · commit b32c85f8520e · 2025-04-11T16:39:39.000-04:00
diff --git a/nix/tests/expected/vault.out b/nix/tests/expected/vault.out
@@ -1,42 +1,101 @@
-select
-  1
-from
-  vault.create_secret('my_s3kre3t');
- ?column? 
-----------
-        1
-(1 row)
-
-select
-  1
-from
-  vault.create_secret(
+SET ROLE service_role;
+SELECT EXISTS (
+  SELECT 1 FROM vault.create_secret('my_s3kre3t')
+) AS can_create_secret;
+ can_create_secret 
+-------------------
+ t
+(1 row)
+
+SELECT EXISTS (
+  SELECT 1 FROM vault.create_secret(
     'another_s3kre3t',
     'unique_name',
     'This is the description'
-  );
- ?column? 
-----------
-        1
-(1 row)
-
-insert into vault.secrets (secret)
-values
-  ('s3kre3t_k3y');
-select
-  name,
-  description
-from
-  vault.decrypted_secrets 
-order by
-  created_at desc 
-limit
-  3;
-    name     |       description       
--------------+-------------------------
-             | 
- unique_name | This is the description
-             | 
-(3 rows)
-
- 
+  )
+) AS can_create_secret_with_params;
+ can_create_secret_with_params 
+-------------------------------
+ t
+(1 row)
+
+SELECT EXISTS (
+  SELECT 1 FROM vault.secrets LIMIT 1
+) AS can_select_from_secrets;
+ can_select_from_secrets 
+-------------------------
+ t
+(1 row)
+
+INSERT INTO vault.secrets (secret)
+VALUES ('s3kre3t_k3y')
+RETURNING EXISTS (
+  SELECT 1
+) AS can_insert_into_secrets;
+ERROR:  permission denied for function _crypto_aead_det_noncegen
+SELECT EXISTS (
+  SELECT name, description FROM vault.decrypted_secrets LIMIT 1
+) AS can_select_from_decrypted_secrets;
+ can_select_from_decrypted_secrets 
+-----------------------------------
+ t
+(1 row)
+
+INSERT INTO vault.secrets (secret) VALUES ('temp_secret_to_delete');
+ERROR:  permission denied for function _crypto_aead_det_noncegen
+WITH deleted AS (
+  DELETE FROM vault.secrets 
+  WHERE secret = 'temp_secret_to_delete'
+  RETURNING 1
+)
+SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_secrets;
+ can_delete_from_secrets 
+-------------------------
+ f
+(1 row)
+
+INSERT INTO vault.secrets (secret) VALUES ('temp_secret_to_delete_from_decrypted');
+ERROR:  permission denied for function _crypto_aead_det_noncegen
+WITH deleted AS (
+  DELETE FROM vault.decrypted_secrets 
+  WHERE secret = 'temp_secret_to_delete_from_decrypted'
+  RETURNING 1
+)
+SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_decrypted_secrets;
+ can_delete_from_decrypted_secrets 
+-----------------------------------
+ f
+(1 row)
+
+WITH secret_id AS (
+  SELECT id FROM vault.secrets ORDER BY created_at DESC LIMIT 1
+)
+SELECT EXISTS (
+  SELECT 1 FROM vault.update_secret(
+    (SELECT id FROM secret_id),
+    'updated_secret'
+  )
+) AS can_update_secret;
+ can_update_secret 
+-------------------
+ t
+(1 row)
+
+WITH encrypted_value AS (
+  SELECT secret FROM vault.secrets ORDER BY created_at DESC LIMIT 1
+)
+SELECT EXISTS (
+  SELECT 1 FROM vault._crypto_aead_det_decrypt(
+    decode((SELECT secret FROM encrypted_value), 'base64'),
+    convert_to((SELECT id FROM vault.secrets ORDER BY created_at DESC LIMIT 1)::text, 'utf8'),
+    0,
+    'pgsodium'::bytea,
+    (SELECT nonce FROM vault.secrets ORDER BY created_at DESC LIMIT 1)
+  )
+) AS can_decrypt;
+ can_decrypt 
+-------------
+ t
+(1 row)
+
+RESET ROLE;
diff --git a/nix/tests/sql/vault.sql b/nix/tests/sql/vault.sql
@@ -1,30 +1,69 @@
-select
-  1
-from
-  vault.create_secret('my_s3kre3t');
-
-select
-  1
-from
-  vault.create_secret(
+SET ROLE service_role;
+
+SELECT EXISTS (
+  SELECT 1 FROM vault.create_secret('my_s3kre3t')
+) AS can_create_secret;
+
+SELECT EXISTS (
+  SELECT 1 FROM vault.create_secret(
     'another_s3kre3t',
     'unique_name',
     'This is the description'
-  );
+  )
+) AS can_create_secret_with_params;
+
+SELECT EXISTS (
+  SELECT 1 FROM vault.secrets LIMIT 1
+) AS can_select_from_secrets;
+
+INSERT INTO vault.secrets (secret)
+VALUES ('s3kre3t_k3y')
+RETURNING EXISTS (
+  SELECT 1
+) AS can_insert_into_secrets;
+
+SELECT EXISTS (
+  SELECT name, description FROM vault.decrypted_secrets LIMIT 1
+) AS can_select_from_decrypted_secrets;
+
+INSERT INTO vault.secrets (secret) VALUES ('temp_secret_to_delete');
+
+WITH deleted AS (
+  DELETE FROM vault.secrets 
+  WHERE secret = 'temp_secret_to_delete'
+  RETURNING 1
+)
+SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_secrets;
 
-insert into vault.secrets (secret)
-values
-  ('s3kre3t_k3y');
+INSERT INTO vault.secrets (secret) VALUES ('temp_secret_to_delete_from_decrypted');
+WITH deleted AS (
+  DELETE FROM vault.decrypted_secrets 
+  WHERE secret = 'temp_secret_to_delete_from_decrypted'
+  RETURNING 1
+)
+SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_decrypted_secrets;
 
-select
-  name,
-  description
-from
-  vault.decrypted_secrets 
-order by
-  created_at desc 
-limit
-  3;
- 
+WITH secret_id AS (
+  SELECT id FROM vault.secrets ORDER BY created_at DESC LIMIT 1
+)
+SELECT EXISTS (
+  SELECT 1 FROM vault.update_secret(
+    (SELECT id FROM secret_id),
+    'updated_secret'
+  )
+) AS can_update_secret;
 
+WITH encrypted_value AS (
+  SELECT secret FROM vault.secrets ORDER BY created_at DESC LIMIT 1
+)
+SELECT EXISTS (
+  SELECT 1 FROM vault._crypto_aead_det_decrypt(
+    decode((SELECT secret FROM encrypted_value), 'base64'),
+    convert_to((SELECT id FROM vault.secrets ORDER BY created_at DESC LIMIT 1)::text, 'utf8'),
+    0,
+    'pgsodium'::bytea,
+    (SELECT nonce FROM vault.secrets ORDER BY created_at DESC LIMIT 1)
+  )
+) AS can_decrypt;
 
+RESET ROLE;
