From a4e2a40a24df8da9aa3557f5961174c8ffdf5848 Mon Sep 17 00:00:00 2001 From: Bobbie Soedirgo Date: Wed, 19 Feb 2025 20:35:04 +0800 Subject: [PATCH 1/7] Reapply "feat: vault sans pgsodium" This reverts commit 447f4492258babcc57ca0307588814016835d24e. --- .../pg_upgrade_scripts/complete.sh | 37 +++++++++ .../postgresql_config/postgresql.conf.j2 | 2 +- .../supabase_vault/after-create.sql | 3 + ansible/files/sodium_extension.sql | 6 -- ansible/tasks/test-image.yml | 23 +++++- .../files/unit-tests/unit-test-01.sql | 10 +-- flake.nix | 77 +++++++++++-------- nix/ext/vault.nix | 13 ++-- nix/tests/expected/z_15_ext_interface.out | 16 +++- nix/tests/expected/z_17_ext_interface.out | 16 +++- nix/tests/postgresql.conf.in | 3 +- 11 files changed, 143 insertions(+), 63 deletions(-) create mode 100644 ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql delete mode 100644 ansible/files/sodium_extension.sql diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh index 515c490f6..c2367116d 100755 --- a/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh +++ b/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh @@ -150,6 +150,43 @@ EOF run_sql -c "$PATCH_PGMQ_QUERY" run_sql -c "update pg_extension set extowner = 'postgres'::regrole where extname = 'pgmq';" + + # Patch to handle upgrading to pgsodium-less Vault + REENCRYPT_VAULT_SECRETS_QUERY=$(cat < - sed -i.bak - -e 's/\(shared_preload_libraries = '\''.*\)pgsodium,\(.*'\''\)/\1\2/' + sed -i.bak + -e 's/\(shared_preload_libraries = '\''.*\)pgsodium,\(.*'\''\)/\1\2/' + -e 's/\(shared_preload_libraries = '\''.*\)supabase_vault,\(.*'\''\)/\1\2/' + -e 's/\(shared_preload_libraries = '\''.*\), *supabase_vault'\''/\1'\''/' -e 's/pgsodium.getkey_script=/#pgsodium.getkey_script=/' /etc/postgresql/postgresql.conf when: debpkg_mode or stage2_nix +- name: Verify pgsodium and vault removal from config + become: yes + become_user: postgres + shell: + cmd: | + FOUND=$(grep -E "shared_preload_libraries.*pgsodium|shared_preload_libraries.*supabase_vault|^pgsodium\.getkey_script" /etc/postgresql/postgresql.conf) + if [ ! -z "$FOUND" ]; then + echo "Found unremoved references:" + echo "$FOUND" + exit 1 + fi + register: verify_result + failed_when: verify_result.rc != 0 + when: debpkg_mode or stage2_nix + - name: Start Postgres Database to load all extensions. become: yes become_user: postgres diff --git a/ebssurrogate/files/unit-tests/unit-test-01.sql b/ebssurrogate/files/unit-tests/unit-test-01.sql index f3d47459f..c466af12e 100644 --- a/ebssurrogate/files/unit-tests/unit-test-01.sql +++ b/ebssurrogate/files/unit-tests/unit-test-01.sql @@ -17,7 +17,6 @@ BEGIN extension_array := ARRAY[ 'plpgsql', 'pg_stat_statements', - 'pgsodium', 'pgtap', 'pg_graphql', 'pgcrypto', @@ -30,7 +29,6 @@ BEGIN extension_array := ARRAY[ 'plpgsql', 'pg_stat_statements', - 'pgsodium', 'pgtap', 'pg_graphql', 'pgcrypto', @@ -44,7 +42,7 @@ BEGIN PERFORM set_config('myapp.extensions', array_to_string(extension_array, ','), false); END $$; -SELECT plan(8); +SELECT no_plan(); SELECT extensions_are( string_to_array(current_setting('myapp.extensions'), ',')::text[] @@ -56,9 +54,5 @@ SELECT has_schema('pg_catalog'); SELECT has_schema('information_schema'); SELECT has_schema('public'); -SELECT function_privs_are('pgsodium', 'crypto_aead_det_decrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']); -SELECT function_privs_are('pgsodium', 'crypto_aead_det_encrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']); -SELECT function_privs_are('pgsodium', 'crypto_aead_det_keygen', array[]::text[], 'service_role', array['EXECUTE']); - SELECT * FROM finish(); -ROLLBACK; \ No newline at end of file +ROLLBACK; diff --git a/flake.nix b/flake.nix index 9ce842d35..f5bc933a0 100644 --- a/flake.nix +++ b/flake.nix @@ -587,42 +587,49 @@ sqlTests = ./nix/tests/smoke; pg_prove = pkgs.perlPackages.TAPParserSourceHandlerpgTAP; pg_regress = basePackages.pg_regress; - getkey-script = pkgs.writeScriptBin "pgsodium-getkey" '' - #!${pkgs.bash}/bin/bash - set -euo pipefail - - TMPDIR_BASE=$(mktemp -d) - - if [[ "$(uname)" == "Darwin" ]]; then - KEY_DIR="/private/tmp/pgsodium" - else - KEY_DIR="''${PGSODIUM_KEY_DIR:-$TMPDIR_BASE/pgsodium}" - fi - KEY_FILE="$KEY_DIR/pgsodium.key" - - if ! mkdir -p "$KEY_DIR" 2>/dev/null; then - echo "Error: Could not create key directory $KEY_DIR" >&2 - exit 1 - fi - chmod 1777 "$KEY_DIR" - - if [[ ! -f "$KEY_FILE" ]]; then - if ! (dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -A n -t x1 | tr -d ' \n' > "$KEY_FILE"); then - if ! (openssl rand -hex 32 > "$KEY_FILE"); then - echo "00000000000000000000000000000000" > "$KEY_FILE" - echo "Warning: Using fallback key" >&2 + getkey-script = pkgs.stdenv.mkDerivation { + name = "pgsodium-getkey"; + buildCommand = '' + mkdir -p $out/bin + cat > $out/bin/pgsodium-getkey << 'EOF' + #!${pkgs.bash}/bin/bash + set -euo pipefail + + TMPDIR_BASE=$(mktemp -d) + + if [[ "$(uname)" == "Darwin" ]]; then + KEY_DIR="/private/tmp/pgsodium" + else + KEY_DIR="''${PGSODIUM_KEY_DIR:-$TMPDIR_BASE/pgsodium}" + fi + KEY_FILE="$KEY_DIR/pgsodium.key" + + if ! mkdir -p "$KEY_DIR" 2>/dev/null; then + echo "Error: Could not create key directory $KEY_DIR" >&2 + exit 1 + fi + chmod 1777 "$KEY_DIR" + + if [[ ! -f "$KEY_FILE" ]]; then + if ! (dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -A n -t x1 | tr -d ' \n' > "$KEY_FILE"); then + if ! (openssl rand -hex 32 > "$KEY_FILE"); then + echo "00000000000000000000000000000000" > "$KEY_FILE" + echo "Warning: Using fallback key" >&2 + fi fi + chmod 644 "$KEY_FILE" fi - chmod 644 "$KEY_FILE" - fi - - if [[ -f "$KEY_FILE" && -r "$KEY_FILE" ]]; then - cat "$KEY_FILE" - else - echo "Error: Cannot read key file $KEY_FILE" >&2 - exit 1 - fi - ''; + + if [[ -f "$KEY_FILE" && -r "$KEY_FILE" ]]; then + cat "$KEY_FILE" + else + echo "Error: Cannot read key file $KEY_FILE" >&2 + exit 1 + fi + EOF + chmod +x $out/bin/pgsodium-getkey + ''; + }; # Use the shared setup but with a test-specific name start-postgres-server-bin = makePostgresDevSetup { @@ -691,6 +698,8 @@ echo "listen_addresses = '*'" >> "$PGTAP_CLUSTER"/postgresql.conf echo "port = 5435" >> "$PGTAP_CLUSTER"/postgresql.conf echo "host all all 127.0.0.1/32 trust" >> $PGTAP_CLUSTER/pg_hba.conf + echo "Checking shared_preload_libraries setting:" + grep -rn "shared_preload_libraries" "$PGTAP_CLUSTER"/postgresql.conf # Remove timescaledb if running orioledb-17 check echo "I AM ${pgpkg.version}====================================================" if [[ "${pgpkg.version}" == *"17"* ]]; then diff --git a/nix/ext/vault.nix b/nix/ext/vault.nix index c822fcd51..2cbd7e7a9 100644 --- a/nix/ext/vault.nix +++ b/nix/ext/vault.nix @@ -1,23 +1,24 @@ -{ lib, stdenv, fetchFromGitHub, postgresql }: +{ lib, stdenv, fetchFromGitHub, libsodium, postgresql }: stdenv.mkDerivation rec { pname = "vault"; - version = "0.2.9"; + version = "0.3.1"; - buildInputs = [ postgresql ]; + buildInputs = [ libsodium postgresql ]; src = fetchFromGitHub { owner = "supabase"; repo = pname; rev = "refs/tags/v${version}"; - hash = "sha256-kXTngBW4K6FkZM8HvJG2Jha6OQqbejhnk7tchxy031I="; + hash = "sha256-MC87bqgtynnDhmNZAu96jvfCpsGDCPB0g5TZfRQHd30="; }; installPhase = '' mkdir -p $out/{lib,share/postgresql/extension} - cp sql/*.sql $out/share/postgresql/extension - cp *.control $out/share/postgresql/extension + install -D *${postgresql.dlSuffix} $out/lib + install -D -t $out/share/postgresql/extension sql/*.sql + install -D -t $out/share/postgresql/extension *.control ''; meta = with lib; { diff --git a/nix/tests/expected/z_15_ext_interface.out b/nix/tests/expected/z_15_ext_interface.out index 9914fa3b9..2fedc4366 100644 --- a/nix/tests/expected/z_15_ext_interface.out +++ b/nix/tests/expected/z_15_ext_interface.out @@ -4750,6 +4750,9 @@ order by sslinfo | public | ssl_issuer_dn | | text sslinfo | public | ssl_issuer_field | text | text sslinfo | public | ssl_version | | text + supabase_vault | vault | _crypto_aead_det_decrypt | message bytea, additional bytea, key_id bigint, context bytea, nonce bytea | bytea + supabase_vault | vault | _crypto_aead_det_encrypt | message bytea, additional bytea, key_id bigint, context bytea, nonce bytea | bytea + supabase_vault | vault | _crypto_aead_det_noncegen | | bytea supabase_vault | vault | create_secret | new_secret text, new_name text, new_description text, new_key_id uuid | uuid supabase_vault | vault | update_secret | secret_id uuid, new_secret text, new_name text, new_description text, new_key_id uuid | void tablefunc | public | connectby | text, text, text, text, integer, text | SETOF record @@ -5226,7 +5229,7 @@ order by xml2 | public | xpath_table | text, text, text, text, text | SETOF record xml2 | public | xslt_process | text, text | text xml2 | public | xslt_process | text, text, text | text -(5055 rows) +(5058 rows) /* @@ -6034,6 +6037,15 @@ order by postgis_topology | topology | topology | name postgis_topology | topology | topology | precision postgis_topology | topology | topology | srid + supabase_vault | vault | decrypted_secrets | created_at + supabase_vault | vault | decrypted_secrets | decrypted_secret + supabase_vault | vault | decrypted_secrets | description + supabase_vault | vault | decrypted_secrets | id + supabase_vault | vault | decrypted_secrets | key_id + supabase_vault | vault | decrypted_secrets | name + supabase_vault | vault | decrypted_secrets | nonce + supabase_vault | vault | decrypted_secrets | secret + supabase_vault | vault | decrypted_secrets | updated_at supabase_vault | vault | secrets | created_at supabase_vault | vault | secrets | description supabase_vault | vault | secrets | id @@ -6357,5 +6369,5 @@ order by wrappers | public | wrappers_fdw_stats | rows_in wrappers | public | wrappers_fdw_stats | rows_out wrappers | public | wrappers_fdw_stats | updated_at -(1097 rows) +(1106 rows) diff --git a/nix/tests/expected/z_17_ext_interface.out b/nix/tests/expected/z_17_ext_interface.out index 37f417f81..a0177327a 100644 --- a/nix/tests/expected/z_17_ext_interface.out +++ b/nix/tests/expected/z_17_ext_interface.out @@ -4707,6 +4707,9 @@ order by sslinfo | public | ssl_issuer_dn | | text sslinfo | public | ssl_issuer_field | text | text sslinfo | public | ssl_version | | text + supabase_vault | vault | _crypto_aead_det_decrypt | message bytea, additional bytea, key_id bigint, context bytea, nonce bytea | bytea + supabase_vault | vault | _crypto_aead_det_encrypt | message bytea, additional bytea, key_id bigint, context bytea, nonce bytea | bytea + supabase_vault | vault | _crypto_aead_det_noncegen | | bytea supabase_vault | vault | create_secret | new_secret text, new_name text, new_description text, new_key_id uuid | uuid supabase_vault | vault | update_secret | secret_id uuid, new_secret text, new_name text, new_description text, new_key_id uuid | void tablefunc | public | connectby | text, text, text, text, integer | SETOF record @@ -4906,7 +4909,7 @@ order by xml2 | public | xpath_table | text, text, text, text, text | SETOF record xml2 | public | xslt_process | text, text | text xml2 | public | xslt_process | text, text, text | text -(4747 rows) +(4750 rows) /* @@ -5321,6 +5324,15 @@ order by postgis_topology | topology | topology | name postgis_topology | topology | topology | precision postgis_topology | topology | topology | srid + supabase_vault | vault | decrypted_secrets | created_at + supabase_vault | vault | decrypted_secrets | decrypted_secret + supabase_vault | vault | decrypted_secrets | description + supabase_vault | vault | decrypted_secrets | id + supabase_vault | vault | decrypted_secrets | key_id + supabase_vault | vault | decrypted_secrets | name + supabase_vault | vault | decrypted_secrets | nonce + supabase_vault | vault | decrypted_secrets | secret + supabase_vault | vault | decrypted_secrets | updated_at supabase_vault | vault | secrets | created_at supabase_vault | vault | secrets | description supabase_vault | vault | secrets | id @@ -5338,5 +5350,5 @@ order by wrappers | public | wrappers_fdw_stats | rows_in wrappers | public | wrappers_fdw_stats | rows_out wrappers | public | wrappers_fdw_stats | updated_at -(398 rows) +(407 rows) diff --git a/nix/tests/postgresql.conf.in b/nix/tests/postgresql.conf.in index ef860afcb..483a1a8e2 100644 --- a/nix/tests/postgresql.conf.in +++ b/nix/tests/postgresql.conf.in @@ -718,7 +718,7 @@ default_text_search_config = 'pg_catalog.english' #local_preload_libraries = '' #session_preload_libraries = '' -shared_preload_libraries = 'pg_stat_statements, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain, pg_tle, plan_filter, pg_backtrace' # (change requires restart) +shared_preload_libraries = 'pg_stat_statements, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain, pg_tle, plan_filter, pg_backtrace, supabase_vault' # (change requires restart) jit_provider = 'llvmjit' # JIT library to use @@ -795,6 +795,7 @@ jit_provider = 'llvmjit' # JIT library to use # Add settings for extensions here pgsodium.getkey_script = '@PGSODIUM_GETKEY_SCRIPT@' +vault.getkey_script = '@PGSODIUM_GETKEY_SCRIPT@' auto_explain.log_min_duration = 10s cron.database_name = 'postgres' From 6f047a70e2fd20974b1ba34d0a7c01206274e95f Mon Sep 17 00:00:00 2001 From: Bobbie Soedirgo Date: Wed, 26 Feb 2025 01:16:50 +0800 Subject: [PATCH 2/7] chore: update schema snapshots --- migrations/schema-15.sql | 67 ------------------------------- migrations/schema-orioledb-17.sql | 67 ------------------------------- migrations/schema.sql | 67 ------------------------------- nix/tests/expected/security.out | 4 +- 4 files changed, 3 insertions(+), 202 deletions(-) diff --git a/migrations/schema-15.sql b/migrations/schema-15.sql index 33bba060f..802fbae79 100644 --- a/migrations/schema-15.sql +++ b/migrations/schema-15.sql @@ -44,27 +44,6 @@ CREATE SCHEMA graphql_public; CREATE SCHEMA pgbouncer; --- --- Name: pgsodium; Type: SCHEMA; Schema: -; Owner: - --- - -CREATE SCHEMA pgsodium; - - --- --- Name: pgsodium; Type: EXTENSION; Schema: -; Owner: - --- - -CREATE EXTENSION IF NOT EXISTS pgsodium WITH SCHEMA pgsodium; - - --- --- Name: EXTENSION pgsodium; Type: COMMENT; Schema: -; Owner: - --- - -COMMENT ON EXTENSION pgsodium IS 'Pgsodium is a modern cryptography library for Postgres.'; - - -- -- Name: realtime; Type: SCHEMA; Schema: -; Owner: - -- @@ -582,28 +561,6 @@ END $$; --- --- Name: secrets_encrypt_secret_secret(); Type: FUNCTION; Schema: vault; Owner: - --- - -CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger - LANGUAGE plpgsql - AS $$ - BEGIN - new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE - CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode( - pgsodium.crypto_aead_det_encrypt( - pg_catalog.convert_to(new.secret, 'utf8'), - pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'), - new.key_id::uuid, - new.nonce - ), - 'base64') END END; - RETURN new; - END; - $$; - - SET default_tablespace = ''; SET default_table_access_method = heap; @@ -790,30 +747,6 @@ CREATE TABLE storage.objects ( ); --- --- Name: decrypted_secrets; Type: VIEW; Schema: vault; Owner: - --- - -CREATE VIEW vault.decrypted_secrets AS - SELECT secrets.id, - secrets.name, - secrets.description, - secrets.secret, - CASE - WHEN (secrets.secret IS NULL) THEN NULL::text - ELSE - CASE - WHEN (secrets.key_id IS NULL) THEN NULL::text - ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secrets.secret, 'base64'::text), convert_to(((((secrets.id)::text || secrets.description) || (secrets.created_at)::text) || (secrets.updated_at)::text), 'utf8'::name), secrets.key_id, secrets.nonce), 'utf8'::name) - END - END AS decrypted_secret, - secrets.key_id, - secrets.nonce, - secrets.created_at, - secrets.updated_at - FROM vault.secrets; - - -- -- Name: refresh_tokens id; Type: DEFAULT; Schema: auth; Owner: - -- diff --git a/migrations/schema-orioledb-17.sql b/migrations/schema-orioledb-17.sql index 28e756fc9..c540492ca 100644 --- a/migrations/schema-orioledb-17.sql +++ b/migrations/schema-orioledb-17.sql @@ -45,27 +45,6 @@ CREATE SCHEMA graphql_public; CREATE SCHEMA pgbouncer; --- --- Name: pgsodium; Type: SCHEMA; Schema: -; Owner: - --- - -CREATE SCHEMA pgsodium; - - --- --- Name: pgsodium; Type: EXTENSION; Schema: -; Owner: - --- - -CREATE EXTENSION IF NOT EXISTS pgsodium WITH SCHEMA pgsodium; - - --- --- Name: EXTENSION pgsodium; Type: COMMENT; Schema: -; Owner: - --- - -COMMENT ON EXTENSION pgsodium IS 'Pgsodium is a modern cryptography library for Postgres.'; - - -- -- Name: realtime; Type: SCHEMA; Schema: -; Owner: - -- @@ -597,28 +576,6 @@ END $$; --- --- Name: secrets_encrypt_secret_secret(); Type: FUNCTION; Schema: vault; Owner: - --- - -CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger - LANGUAGE plpgsql - AS $$ - BEGIN - new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE - CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode( - pgsodium.crypto_aead_det_encrypt( - pg_catalog.convert_to(new.secret, 'utf8'), - pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'), - new.key_id::uuid, - new.nonce - ), - 'base64') END END; - RETURN new; - END; - $$; - - SET default_tablespace = ''; SET default_table_access_method = orioledb; @@ -805,30 +762,6 @@ CREATE TABLE storage.objects ( ); --- --- Name: decrypted_secrets; Type: VIEW; Schema: vault; Owner: - --- - -CREATE VIEW vault.decrypted_secrets AS - SELECT id, - name, - description, - secret, - CASE - WHEN (secret IS NULL) THEN NULL::text - ELSE - CASE - WHEN (key_id IS NULL) THEN NULL::text - ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secret, 'base64'::text), convert_to(((((id)::text || description) || (created_at)::text) || (updated_at)::text), 'utf8'::name), key_id, nonce), 'utf8'::name) - END - END AS decrypted_secret, - key_id, - nonce, - created_at, - updated_at - FROM vault.secrets; - - -- -- Name: refresh_tokens id; Type: DEFAULT; Schema: auth; Owner: - -- diff --git a/migrations/schema.sql b/migrations/schema.sql index 1bff8b9d8..cb031f797 100644 --- a/migrations/schema.sql +++ b/migrations/schema.sql @@ -44,27 +44,6 @@ CREATE SCHEMA graphql_public; CREATE SCHEMA pgbouncer; --- --- Name: pgsodium; Type: SCHEMA; Schema: -; Owner: - --- - -CREATE SCHEMA pgsodium; - - --- --- Name: pgsodium; Type: EXTENSION; Schema: -; Owner: - --- - -CREATE EXTENSION IF NOT EXISTS pgsodium WITH SCHEMA pgsodium; - - --- --- Name: EXTENSION pgsodium; Type: COMMENT; Schema: -; Owner: - --- - -COMMENT ON EXTENSION pgsodium IS 'Pgsodium is a modern cryptography library for Postgres.'; - - -- -- Name: realtime; Type: SCHEMA; Schema: -; Owner: - -- @@ -574,28 +553,6 @@ END $$; --- --- Name: secrets_encrypt_secret_secret(); Type: FUNCTION; Schema: vault; Owner: - --- - -CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger - LANGUAGE plpgsql - AS $$ - BEGIN - new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE - CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode( - pgsodium.crypto_aead_det_encrypt( - pg_catalog.convert_to(new.secret, 'utf8'), - pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'), - new.key_id::uuid, - new.nonce - ), - 'base64') END END; - RETURN new; - END; - $$; - - SET default_tablespace = ''; SET default_table_access_method = heap; @@ -782,30 +739,6 @@ CREATE TABLE storage.objects ( ); --- --- Name: decrypted_secrets; Type: VIEW; Schema: vault; Owner: - --- - -CREATE VIEW vault.decrypted_secrets AS - SELECT secrets.id, - secrets.name, - secrets.description, - secrets.secret, - CASE - WHEN (secrets.secret IS NULL) THEN NULL::text - ELSE - CASE - WHEN (secrets.key_id IS NULL) THEN NULL::text - ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secrets.secret, 'base64'::text), convert_to(((((secrets.id)::text || secrets.description) || (secrets.created_at)::text) || (secrets.updated_at)::text), 'utf8'::name), secrets.key_id, secrets.nonce), 'utf8'::name) - END - END AS decrypted_secret, - secrets.key_id, - secrets.nonce, - secrets.created_at, - secrets.updated_at - FROM vault.secrets; - - -- -- Name: refresh_tokens id; Type: DEFAULT; Schema: auth; Owner: - -- diff --git a/nix/tests/expected/security.out b/nix/tests/expected/security.out index 58207b605..a01ecf7a2 100644 --- a/nix/tests/expected/security.out +++ b/nix/tests/expected/security.out @@ -26,5 +26,7 @@ order by 1,2; public | st_estimatedextent public | st_estimatedextent repack | repack_trigger -(17 rows) + vault | create_secret + vault | update_secret +(19 rows) From 193941eda5937e02cfad12f09373c864a4a6ee95 Mon Sep 17 00:00:00 2001 From: Bobbie Soedirgo Date: Wed, 26 Feb 2025 01:30:51 +0800 Subject: [PATCH 3/7] chore: print regress diffs for easier debugging --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index f5bc933a0..f6494a411 100644 --- a/flake.nix +++ b/flake.nix @@ -798,6 +798,7 @@ --user=supabase_admin \ ${builtins.concatStringsSep " " sortedTestList}; then echo "pg_regress tests failed" + cat $out/regression_output/regression.diffs exit 1 fi From 31303d3a75689b09335e005f92a901f1f20feff0 Mon Sep 17 00:00:00 2001 From: Bobbie Soedirgo Date: Wed, 26 Feb 2025 16:44:48 +0800 Subject: [PATCH 4/7] chore: remove pgsodium priv checks --- migrations/tests/database/privs.sql | 4 ---- 1 file changed, 4 deletions(-) diff --git a/migrations/tests/database/privs.sql b/migrations/tests/database/privs.sql index d164e0cb1..ea4f1318a 100644 --- a/migrations/tests/database/privs.sql +++ b/migrations/tests/database/privs.sql @@ -2,10 +2,6 @@ SELECT database_privs_are( 'postgres', 'postgres', ARRAY['CONNECT', 'TEMPORARY', 'CREATE'] ); -SELECT function_privs_are('pgsodium', 'crypto_aead_det_decrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']); -SELECT function_privs_are('pgsodium', 'crypto_aead_det_encrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']); -SELECT function_privs_are('pgsodium', 'crypto_aead_det_keygen', array[]::text[], 'service_role', array['EXECUTE']); - -- Verify public schema privileges SELECT schema_privs_are('public', 'postgres', array['CREATE', 'USAGE']); SELECT schema_privs_are('public', 'anon', array['USAGE']); From c77280735f51248801585d653019c6b09642b3b3 Mon Sep 17 00:00:00 2001 From: Bobbie Soedirgo Date: Wed, 5 Mar 2025 21:50:55 +0800 Subject: [PATCH 5/7] fix: move it out of if else --- .../pg_upgrade_scripts/complete.sh | 72 +++++++++---------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh index c2367116d..cd6c1f066 100755 --- a/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh +++ b/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh @@ -150,44 +150,44 @@ EOF run_sql -c "$PATCH_PGMQ_QUERY" run_sql -c "update pg_extension set extowner = 'postgres'::regrole where extname = 'pgmq';" + fi - # Patch to handle upgrading to pgsodium-less Vault - REENCRYPT_VAULT_SECRETS_QUERY=$(cat < Date: Mon, 17 Mar 2025 16:04:38 +0100 Subject: [PATCH 6/7] chore: bump version --- ansible/vars.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/vars.yml b/ansible/vars.yml index 381fb9510..fae61716a 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -8,8 +8,8 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.0.1.048-orioledb" - postgres15: "15.8.1.055" + postgresorioledb-17: "17.0.1.049-orioledb" + postgres15: "15.8.1.056" # Non Postgres Extensions pgbouncer_release: "1.19.0" From 04eb1140576c6855a84fc358dade6b14bd6fcda7 Mon Sep 17 00:00:00 2001 From: Bobbie Soedirgo Date: Wed, 19 Mar 2025 09:44:22 +0100 Subject: [PATCH 7/7] chore: bump version --- ansible/vars.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/vars.yml b/ansible/vars.yml index fae61716a..339d2effd 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -8,8 +8,8 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.0.1.049-orioledb" - postgres15: "15.8.1.056" + postgresorioledb-17: "17.0.1.050-orioledb" + postgres15: "15.8.1.057" # Non Postgres Extensions pgbouncer_release: "1.19.0"