Skip to content

chore: proposed additions to vault regress tests #1540

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Apr 12, 2025
Merged

chore: proposed additions to vault regress tests #1540

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b32c85f
chore: proposed additions to vault regress tests
samrose Apr 11, 2025
06b007e
chore: update vault tests to test for intended behavior
soedirgo Apr 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
137 changes: 98 additions & 39 deletions nix/tests/expected/vault.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,42 +1,101 @@
select
1
from
vault.create_secret('my_s3kre3t');
?column?
----------
1
(1 row)

select
1
from
vault.create_secret(
SET ROLE service_role;
SELECT EXISTS (
SELECT 1 FROM vault.create_secret('my_s3kre3t')
) AS can_create_secret;
can_create_secret
-------------------
t
(1 row)

SELECT EXISTS (
SELECT 1 FROM vault.create_secret(
'another_s3kre3t',
'unique_name',
'This is the description'
);
?column?
----------
1
(1 row)

insert into vault.secrets (secret)
values
('s3kre3t_k3y');
select
name,
description
from
vault.decrypted_secrets
order by
created_at desc
limit
3;
name | description
-------------+-------------------------
|
unique_name | This is the description
|
(3 rows)


)
) AS can_create_secret_with_params;
can_create_secret_with_params
-------------------------------
t
(1 row)

SELECT EXISTS (
SELECT 1 FROM vault.secrets LIMIT 1
) AS can_select_from_secrets;
can_select_from_secrets
-------------------------
t
(1 row)

INSERT INTO vault.secrets (secret)
VALUES ('s3kre3t_k3y')
RETURNING EXISTS (
SELECT 1
) AS can_insert_into_secrets;
ERROR: permission denied for function _crypto_aead_det_noncegen
SELECT EXISTS (
SELECT name, description FROM vault.decrypted_secrets LIMIT 1
) AS can_select_from_decrypted_secrets;
can_select_from_decrypted_secrets
-----------------------------------
t
(1 row)

INSERT INTO vault.secrets (secret) VALUES ('temp_secret_to_delete');
ERROR: permission denied for function _crypto_aead_det_noncegen
WITH deleted AS (
DELETE FROM vault.secrets
WHERE secret = 'temp_secret_to_delete'
RETURNING 1
)
SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_secrets;
can_delete_from_secrets
-------------------------
f
(1 row)

INSERT INTO vault.secrets (secret) VALUES ('temp_secret_to_delete_from_decrypted');
ERROR: permission denied for function _crypto_aead_det_noncegen
WITH deleted AS (
DELETE FROM vault.decrypted_secrets
WHERE secret = 'temp_secret_to_delete_from_decrypted'
RETURNING 1
)
SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_decrypted_secrets;
can_delete_from_decrypted_secrets
-----------------------------------
f
(1 row)

WITH secret_id AS (
SELECT id FROM vault.secrets ORDER BY created_at DESC LIMIT 1
)
SELECT EXISTS (
SELECT 1 FROM vault.update_secret(
(SELECT id FROM secret_id),
'updated_secret'
)
) AS can_update_secret;
can_update_secret
-------------------
t
(1 row)

WITH encrypted_value AS (
SELECT secret FROM vault.secrets ORDER BY created_at DESC LIMIT 1
)
SELECT EXISTS (
SELECT 1 FROM vault._crypto_aead_det_decrypt(
decode((SELECT secret FROM encrypted_value), 'base64'),
convert_to((SELECT id FROM vault.secrets ORDER BY created_at DESC LIMIT 1)::text, 'utf8'),
0,
'pgsodium'::bytea,
(SELECT nonce FROM vault.secrets ORDER BY created_at DESC LIMIT 1)
)
) AS can_decrypt;
can_decrypt
-------------
t
(1 row)

RESET ROLE;
85 changes: 62 additions & 23 deletions nix/tests/sql/vault.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,30 +1,69 @@
select
1
from
vault.create_secret('my_s3kre3t');

select
1
from
vault.create_secret(
SET ROLE service_role;

SELECT EXISTS (
SELECT 1 FROM vault.create_secret('my_s3kre3t')
) AS can_create_secret;

SELECT EXISTS (
SELECT 1 FROM vault.create_secret(
'another_s3kre3t',
'unique_name',
'This is the description'
);
)
) AS can_create_secret_with_params;

SELECT EXISTS (
SELECT 1 FROM vault.secrets LIMIT 1
) AS can_select_from_secrets;

INSERT INTO vault.secrets (secret)
VALUES ('s3kre3t_k3y')
RETURNING EXISTS (
SELECT 1
) AS can_insert_into_secrets;

SELECT EXISTS (
SELECT name, description FROM vault.decrypted_secrets LIMIT 1
) AS can_select_from_decrypted_secrets;

INSERT INTO vault.secrets (secret) VALUES ('temp_secret_to_delete');

WITH deleted AS (
DELETE FROM vault.secrets
WHERE secret = 'temp_secret_to_delete'
RETURNING 1
)
SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_secrets;

insert into vault.secrets (secret)
values
('s3kre3t_k3y');
INSERT INTO vault.secrets (secret) VALUES ('temp_secret_to_delete_from_decrypted');
WITH deleted AS (
DELETE FROM vault.decrypted_secrets
WHERE secret = 'temp_secret_to_delete_from_decrypted'
RETURNING 1
)
SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_decrypted_secrets;

select
name,
description
from
vault.decrypted_secrets
order by
created_at desc
limit
3;

WITH secret_id AS (
SELECT id FROM vault.secrets ORDER BY created_at DESC LIMIT 1
)
SELECT EXISTS (
SELECT 1 FROM vault.update_secret(
(SELECT id FROM secret_id),
'updated_secret'
)
) AS can_update_secret;

WITH encrypted_value AS (
SELECT secret FROM vault.secrets ORDER BY created_at DESC LIMIT 1
)
SELECT EXISTS (
SELECT 1 FROM vault._crypto_aead_det_decrypt(
decode((SELECT secret FROM encrypted_value), 'base64'),
convert_to((SELECT id FROM vault.secrets ORDER BY created_at DESC LIMIT 1)::text, 'utf8'),
0,
'pgsodium'::bytea,
(SELECT nonce FROM vault.secrets ORDER BY created_at DESC LIMIT 1)
)
) AS can_decrypt;

RESET ROLE;