From cfef39cf0a4fcf8d861e19c7f0ec217374d93dbe Mon Sep 17 00:00:00 2001
From: Bobbie Soedirgo <bobbie@soedirgo.dev>
Date: Mon, 6 Jan 2025 16:38:18 +0800
Subject: [PATCH 1/2] fix: pgsodium after-create script

---
 .../pgsodium/after-create.sql                 | 23 +++++++++++++++++++
 .../pgsodium/before-create.sql                |  9 ++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 ansible/files/postgresql_extension_custom_scripts/pgsodium/before-create.sql

diff --git a/ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql b/ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql
index 907c67ebf..38242ab20 100644
--- a/ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql
+++ b/ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql
@@ -1,3 +1,26 @@
 grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, bytea) to service_role;
 grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role;
 grant execute on function pgsodium.crypto_aead_det_keygen to service_role;
+
+CREATE OR REPLACE FUNCTION pgsodium.mask_role(masked_role regrole, source_name text, view_name text)
+RETURNS void
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path TO ''
+AS $function$
+BEGIN
+  EXECUTE format(
+    'GRANT SELECT ON pgsodium.key TO %s',
+    masked_role);
+
+  EXECUTE format(
+    'GRANT pgsodium_keyiduser, pgsodium_keyholder TO %s',
+    masked_role);
+
+  EXECUTE format(
+    'GRANT ALL ON %I TO %s',
+    view_name,
+    masked_role);
+  RETURN;
+END
+$function$;
diff --git a/ansible/files/postgresql_extension_custom_scripts/pgsodium/before-create.sql b/ansible/files/postgresql_extension_custom_scripts/pgsodium/before-create.sql
new file mode 100644
index 000000000..fb82a46a3
--- /dev/null
+++ b/ansible/files/postgresql_extension_custom_scripts/pgsodium/before-create.sql
@@ -0,0 +1,9 @@
+do $$
+declare
+  _extversion text := @extversion@;
+  _r record;
+begin
+  if _extversion is not null and _extversion != '3.1.8' then
+    raise exception 'only pgsodium 3.1.8 is supported';
+  end if;
+end $$;

From f1eca44bc1e5dbb32e2f331afda8cd4b0e24da23 Mon Sep 17 00:00:00 2001
From: Bobbie Soedirgo <bobbie@soedirgo.dev>
Date: Wed, 15 Jan 2025 16:34:56 +0800
Subject: [PATCH 2/2] chore: bump version

---
 ansible/vars.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ansible/vars.yml b/ansible/vars.yml
index dba3aff49..2a1cdb357 100644
--- a/ansible/vars.yml
+++ b/ansible/vars.yml
@@ -8,8 +8,8 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.0.1.019-orioledb"
-  postgres15: "15.8.1.029"
+  postgresorioledb-17: "17.0.1.020-orioledb"
+  postgres15: "15.8.1.030"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"