chore: enable Vault with safety measures (#611)

dragarcia · pcnc · commit 84f1ecf05eae · 2023-04-10T21:40:53.000+03:00
* chore: re-enable Vault

* chore: bump version

* chore: version as rc

* fix: formatting

* chore: build test image from branch

* chore: trigger build

* chore: remove branch

* chore: bump version

* chore: add safeguards when enabling Vaault

* chore: revert changes

* chore: safeguard both pgsodium and vault

* chore: bump version
diff --git a/ansible/tasks/setup-extensions.yml b/ansible/tasks/setup-extensions.yml
@@ -66,8 +66,8 @@
 - name: Install auto_explain
   import_tasks: tasks/postgres-extensions/21-auto_explain.yml
 
-# - name: Install vault
-#   import_tasks: tasks/postgres-extensions/23-vault.yml
+- name: Install vault
+  import_tasks: tasks/postgres-extensions/23-vault.yml
 
 - name: Install PGroonga
   import_tasks: tasks/postgres-extensions/24-pgroonga.yml
diff --git a/common.vars.pkr.hcl b/common.vars.pkr.hcl
@@ -1 +1 @@
-postgres-version = "15.1.0.66"
+postgres-version = "15.1.0.67"
diff --git a/ebssurrogate/files/unit-tests/unit-test-01.sql b/ebssurrogate/files/unit-tests/unit-test-01.sql
@@ -12,7 +12,8 @@ SELECT extensions_are(
     'pg_graphql',
     'pgcrypto',
     'pgjwt',
-    'uuid-ossp'
+    'uuid-ossp',
+    'supabase_vault'
      ]
 );
 
diff --git a/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql b/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql
@@ -1,15 +1,39 @@
 -- migrate:up
 
-create extension if not exists pgsodium;
+DO $$
+DECLARE
+  pgsodium_exists boolean;
+  vault_exists boolean;
+BEGIN
+  pgsodium_exists = (
+    select count(*) = 1 
+    from pg_available_extensions 
+    where name = 'pgsodium'
+  );
+  
+  vault_exists = (
+      select count(*) = 1 
+      from pg_available_extensions 
+      where name = 'supabase_vault'
+  );
 
-grant pgsodium_keyiduser to postgres with admin option;
-grant pgsodium_keyholder to postgres with admin option;
-grant pgsodium_keymaker  to postgres with admin option;
+  IF pgsodium_exists 
+  THEN
+    create extension if not exists pgsodium;
 
-grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, bytea) to service_role;
-grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role;
-grant execute on function pgsodium.crypto_aead_det_keygen to service_role;
+    grant pgsodium_keyiduser to postgres with admin option;
+    grant pgsodium_keyholder to postgres with admin option;
+    grant pgsodium_keymaker  to postgres with admin option;
 
--- create extension if not exists supabase_vault;
+    grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, bytea) to service_role;
+    grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role;
+    grant execute on function pgsodium.crypto_aead_det_keygen to service_role;
+
+    IF vault_exists
+    THEN
+      create extension if not exists supabase_vault;
+    END IF;
+  END IF;
+END $$;
 
 -- migrate:down
diff --git a/migrations/schema.sql b/migrations/schema.sql
@@ -79,6 +79,13 @@ CREATE SCHEMA realtime;
 CREATE SCHEMA storage;
 
 
+--
+-- Name: vault; Type: SCHEMA; Schema: -; Owner: -
+--
+
+CREATE SCHEMA vault;
+
+
 --
 -- Name: pg_graphql; Type: EXTENSION; Schema: -; Owner: -
 --
@@ -135,6 +142,20 @@ CREATE EXTENSION IF NOT EXISTS pgjwt WITH SCHEMA extensions;
 COMMENT ON EXTENSION pgjwt IS 'JSON Web Token API for Postgresql';
 
 
+--
+-- Name: supabase_vault; Type: EXTENSION; Schema: -; Owner: -
+--
+
+CREATE EXTENSION IF NOT EXISTS supabase_vault WITH SCHEMA vault;
+
+
+--
+-- Name: EXTENSION supabase_vault; Type: COMMENT; Schema: -; Owner: -
+--
+
+COMMENT ON EXTENSION supabase_vault IS 'Supabase Vault Extension';
+
+
 --
 -- Name: uuid-ossp; Type: EXTENSION; Schema: -; Owner: -
 --
@@ -552,6 +573,28 @@ END
 $$;
 
 
+--
+-- Name: secrets_encrypt_secret_secret(); Type: FUNCTION; Schema: vault; Owner: -
+--
+
+CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger
+    LANGUAGE plpgsql
+    AS $$
+		BEGIN
+		        new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE
+			CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode(
+			  pgsodium.crypto_aead_det_encrypt(
+				pg_catalog.convert_to(new.secret, 'utf8'),
+				pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'),
+				new.key_id::uuid,
+				new.nonce
+			  ),
+				'base64') END END;
+		RETURN new;
+		END;
+		$$;
+
+
 SET default_tablespace = '';
 
 SET default_table_access_method = heap;
@@ -738,6 +781,30 @@ CREATE TABLE storage.objects (
 );
 
 
+--
+-- Name: decrypted_secrets; Type: VIEW; Schema: vault; Owner: -
+--
+
+CREATE VIEW vault.decrypted_secrets AS
+ SELECT secrets.id,
+    secrets.name,
+    secrets.description,
+    secrets.secret,
+        CASE
+            WHEN (secrets.secret IS NULL) THEN NULL::text
+            ELSE
+            CASE
+                WHEN (secrets.key_id IS NULL) THEN NULL::text
+                ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secrets.secret, 'base64'::text), convert_to(((((secrets.id)::text || secrets.description) || (secrets.created_at)::text) || (secrets.updated_at)::text), 'utf8'::name), secrets.key_id, secrets.nonce), 'utf8'::name)
+            END
+        END AS decrypted_secret,
+    secrets.key_id,
+    secrets.nonce,
+    secrets.created_at,
+    secrets.updated_at
+   FROM vault.secrets;
+
+
 --
 -- Name: refresh_tokens id; Type: DEFAULT; Schema: auth; Owner: -
 --
diff --git a/migrations/tests/extensions/test.sql b/migrations/tests/extensions/test.sql
@@ -21,7 +21,7 @@
 \ir 20-pg_stat_monitor.sql
 \ir 21-auto_explain.sql
 \ir 22-pg_jsonschema.sql
--- \ir 23-vault.sql
+\ir 23-vault.sql
 \ir 24-pgroonga.sql
 \ir 25-wrappers.sql
 \ir 26-hypopg.sql

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-postgres-version = "15.1.0.66"`
	`1`	`+postgres-version = "15.1.0.67"`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,8 @@ SELECT extensions_are(`
`12`	`12`	`'pg_graphql',`
`13`	`13`	`'pgcrypto',`
`14`	`14`	`'pgjwt',`
`15`		`- 'uuid-ossp'`
	`15`	`+ 'uuid-ossp',`
	`16`	`+ 'supabase_vault'`
`16`	`17`	`]`
`17`	`18`	`);`
`18`	`19`