From f7ce3e6b973996d1413d1004f4ac9eeeaec6b88d Mon Sep 17 00:00:00 2001 From: dragarcia Date: Wed, 29 Mar 2023 10:53:49 +0800 Subject: [PATCH 01/12] chore: re-enable Vault --- ansible/tasks/setup-extensions.yml | 4 +- .../files/unit-tests/unit-test-01.sql | 3 +- ...221207154255_create_pgsodium_and_vault.sql | 2 +- migrations/schema.sql | 67 +++++++++++++++++++ migrations/tests/extensions/test.sql | 2 +- 5 files changed, 73 insertions(+), 5 deletions(-) diff --git a/ansible/tasks/setup-extensions.yml b/ansible/tasks/setup-extensions.yml index 5e917d388..86af557f9 100644 --- a/ansible/tasks/setup-extensions.yml +++ b/ansible/tasks/setup-extensions.yml @@ -64,8 +64,8 @@ - name: Install auto_explain import_tasks: tasks/postgres-extensions/21-auto_explain.yml -# - name: Install vault -# import_tasks: tasks/postgres-extensions/23-vault.yml +- name: Install vault + import_tasks: tasks/postgres-extensions/23-vault.yml - name: Install PGroonga import_tasks: tasks/postgres-extensions/24-pgroonga.yml diff --git a/ebssurrogate/files/unit-tests/unit-test-01.sql b/ebssurrogate/files/unit-tests/unit-test-01.sql index 72ff06226..0feb70e8b 100644 --- a/ebssurrogate/files/unit-tests/unit-test-01.sql +++ b/ebssurrogate/files/unit-tests/unit-test-01.sql @@ -12,7 +12,8 @@ SELECT extensions_are( 'pg_graphql', 'pgcrypto', 'pgjwt', - 'uuid-ossp' + 'uuid-ossp', + 'supabase_vault' ] ); diff --git a/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql b/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql index 9a863bdaf..f30fee93e 100644 --- a/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql +++ b/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql @@ -10,6 +10,6 @@ grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, b grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role; grant execute on function pgsodium.crypto_aead_det_keygen to service_role; --- create extension if not exists supabase_vault; +create extension if not exists supabase_vault; -- migrate:down diff --git a/migrations/schema.sql b/migrations/schema.sql index 9d2d61205..fa10ba773 100644 --- a/migrations/schema.sql +++ b/migrations/schema.sql @@ -79,6 +79,13 @@ CREATE SCHEMA realtime; CREATE SCHEMA storage; +-- +-- Name: vault; Type: SCHEMA; Schema: -; Owner: - +-- + +CREATE SCHEMA vault; + + -- -- Name: pg_graphql; Type: EXTENSION; Schema: -; Owner: - -- @@ -135,6 +142,20 @@ CREATE EXTENSION IF NOT EXISTS pgjwt WITH SCHEMA extensions; COMMENT ON EXTENSION pgjwt IS 'JSON Web Token API for Postgresql'; +-- +-- Name: supabase_vault; Type: EXTENSION; Schema: -; Owner: - +-- + +CREATE EXTENSION IF NOT EXISTS supabase_vault WITH SCHEMA vault; + + +-- +-- Name: EXTENSION supabase_vault; Type: COMMENT; Schema: -; Owner: - +-- + +COMMENT ON EXTENSION supabase_vault IS 'Supabase Vault Extension'; + + -- -- Name: uuid-ossp; Type: EXTENSION; Schema: -; Owner: - -- @@ -552,6 +573,28 @@ END $$; +-- +-- Name: secrets_encrypt_secret_secret(); Type: FUNCTION; Schema: vault; Owner: - +-- + +CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger + LANGUAGE plpgsql + AS $$ + BEGIN + new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE + CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode( + pgsodium.crypto_aead_det_encrypt( + pg_catalog.convert_to(new.secret, 'utf8'), + pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'), + new.key_id::uuid, + new.nonce + ), + 'base64') END END; + RETURN new; + END; + $$; + + SET default_tablespace = ''; SET default_table_access_method = heap; @@ -738,6 +781,30 @@ CREATE TABLE storage.objects ( ); +-- +-- Name: decrypted_secrets; Type: VIEW; Schema: vault; Owner: - +-- + +CREATE VIEW vault.decrypted_secrets AS + SELECT secrets.id, + secrets.name, + secrets.description, + secrets.secret, + CASE + WHEN (secrets.secret IS NULL) THEN NULL::text + ELSE + CASE + WHEN (secrets.key_id IS NULL) THEN NULL::text + ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secrets.secret, 'base64'::text), convert_to(((((secrets.id)::text || secrets.description) || (secrets.created_at)::text) || (secrets.updated_at)::text), 'utf8'::name), secrets.key_id, secrets.nonce), 'utf8'::name) + END + END AS decrypted_secret, + secrets.key_id, + secrets.nonce, + secrets.created_at, + secrets.updated_at + FROM vault.secrets; + + -- -- Name: refresh_tokens id; Type: DEFAULT; Schema: auth; Owner: - -- diff --git a/migrations/tests/extensions/test.sql b/migrations/tests/extensions/test.sql index 47e8e107b..7e0d1f38d 100644 --- a/migrations/tests/extensions/test.sql +++ b/migrations/tests/extensions/test.sql @@ -21,7 +21,7 @@ \ir 20-pg_stat_monitor.sql \ir 21-auto_explain.sql \ir 22-pg_jsonschema.sql --- \ir 23-vault.sql +\ir 23-vault.sql \ir 24-pgroonga.sql \ir 25-wrappers.sql \ir 26-hypopg.sql From df42e1fb67f5fe9622825275224d445aa275b87d Mon Sep 17 00:00:00 2001 From: dragarcia Date: Wed, 29 Mar 2023 10:54:01 +0800 Subject: [PATCH 02/12] chore: bump version --- common.vars.pkr.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common.vars.pkr.hcl b/common.vars.pkr.hcl index 074f217b8..de698c107 100644 --- a/common.vars.pkr.hcl +++ b/common.vars.pkr.hcl @@ -1 +1 @@ -postgres-version = "15.1.0.62" +postgres-version = "15.1.0.63" From 2ab75b00b30e4ffc8e402e92b006ffee63b34d11 Mon Sep 17 00:00:00 2001 From: dragarcia Date: Wed, 29 Mar 2023 11:10:46 +0800 Subject: [PATCH 03/12] chore: version as rc --- common.vars.pkr.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common.vars.pkr.hcl b/common.vars.pkr.hcl index de698c107..1665bd0f4 100644 --- a/common.vars.pkr.hcl +++ b/common.vars.pkr.hcl @@ -1 +1 @@ -postgres-version = "15.1.0.63" +postgres-version = "15.1.0.63-rc" From 6d448b36b190fa14b03430b6c350bf28a1861847 Mon Sep 17 00:00:00 2001 From: dragarcia Date: Wed, 29 Mar 2023 11:42:05 +0800 Subject: [PATCH 04/12] fix: formatting --- migrations/schema.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/migrations/schema.sql b/migrations/schema.sql index fa10ba773..5bb4b15b0 100644 --- a/migrations/schema.sql +++ b/migrations/schema.sql @@ -581,7 +581,7 @@ CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger LANGUAGE plpgsql AS $$ BEGIN - new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE + new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode( pgsodium.crypto_aead_det_encrypt( pg_catalog.convert_to(new.secret, 'utf8'), From e9e48d4bcd3173eefe44f71440bc3ac2600932e0 Mon Sep 17 00:00:00 2001 From: dragarcia Date: Wed, 29 Mar 2023 11:56:31 +0800 Subject: [PATCH 05/12] chore: build test image from branch --- .github/workflows/ami-release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ami-release.yml b/.github/workflows/ami-release.yml index 79f6787de..f742ae264 100644 --- a/.github/workflows/ami-release.yml +++ b/.github/workflows/ami-release.yml @@ -4,6 +4,7 @@ on: push: branches: - develop + - drag/enable_vault paths: - '.github/workflows/ami-release.yml' - 'common.vars.pkr.hcl' From a3d9d788876254b163746d03829f5b1a95639d02 Mon Sep 17 00:00:00 2001 From: dragarcia Date: Tue, 4 Apr 2023 10:45:06 +0800 Subject: [PATCH 06/12] chore: trigger build --- common.vars.pkr.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common.vars.pkr.hcl b/common.vars.pkr.hcl index 1665bd0f4..4d571bb79 100644 --- a/common.vars.pkr.hcl +++ b/common.vars.pkr.hcl @@ -1 +1 @@ -postgres-version = "15.1.0.63-rc" +postgres-version = "15.1.0.65-rc" From c227c7b483a53b6718a9b91baeba8468fb5db072 Mon Sep 17 00:00:00 2001 From: dragarcia Date: Tue, 4 Apr 2023 20:59:53 +0800 Subject: [PATCH 07/12] chore: remove branch --- .github/workflows/ami-release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ami-release.yml b/.github/workflows/ami-release.yml index f742ae264..79f6787de 100644 --- a/.github/workflows/ami-release.yml +++ b/.github/workflows/ami-release.yml @@ -4,7 +4,6 @@ on: push: branches: - develop - - drag/enable_vault paths: - '.github/workflows/ami-release.yml' - 'common.vars.pkr.hcl' From 479a1ea789517dd439ec63ff7bb4d284a11c0842 Mon Sep 17 00:00:00 2001 From: dragarcia Date: Tue, 4 Apr 2023 21:01:17 +0800 Subject: [PATCH 08/12] chore: bump version --- common.vars.pkr.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common.vars.pkr.hcl b/common.vars.pkr.hcl index 4d571bb79..fee110082 100644 --- a/common.vars.pkr.hcl +++ b/common.vars.pkr.hcl @@ -1 +1 @@ -postgres-version = "15.1.0.65-rc" +postgres-version = "15.1.0.65" From 5b1e603c68bd07e0848b4efd69d7ce5dfb5b135e Mon Sep 17 00:00:00 2001 From: dragarcia Date: Thu, 6 Apr 2023 14:53:06 +0800 Subject: [PATCH 09/12] chore: add safeguards when enabling Vaault --- ...221207154255_create_pgsodium_and_vault.sql | 19 ++- migrations/schema.sql | 142 ++++++++++++------ 2 files changed, 112 insertions(+), 49 deletions(-) diff --git a/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql b/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql index f30fee93e..813acb18e 100644 --- a/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql +++ b/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql @@ -10,6 +10,23 @@ grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, b grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role; grant execute on function pgsodium.crypto_aead_det_keygen to service_role; -create extension if not exists supabase_vault; +-- Only install as well if the extension is actually installed +DO $$ +DECLARE + vault_exists boolean; +BEGIN + vault_exists = ( + select count(*) = 1 + from pg_available_extensions + where name = 'supabase_vault' + ); + + IF vault_exists + THEN + create extension if not exists supabase_vault; + END IF; +END $$; + + -- migrate:down diff --git a/migrations/schema.sql b/migrations/schema.sql index 5bb4b15b0..fed524a62 100644 --- a/migrations/schema.sql +++ b/migrations/schema.sql @@ -78,14 +78,6 @@ CREATE SCHEMA realtime; CREATE SCHEMA storage; - --- --- Name: vault; Type: SCHEMA; Schema: -; Owner: - --- - -CREATE SCHEMA vault; - - -- -- Name: pg_graphql; Type: EXTENSION; Schema: -; Owner: - -- @@ -141,19 +133,43 @@ CREATE EXTENSION IF NOT EXISTS pgjwt WITH SCHEMA extensions; COMMENT ON EXTENSION pgjwt IS 'JSON Web Token API for Postgresql'; - -- --- Name: supabase_vault; Type: EXTENSION; Schema: -; Owner: - -- +-- + +DO $$ +DECLARE + vault_exists boolean; +BEGIN + vault_exists = ( + select count(*) = 1 + from pg_available_extensions + where name = 'supabase_vault' + ); -CREATE EXTENSION IF NOT EXISTS supabase_vault WITH SCHEMA vault; + IF vault_exists + THEN + + -- + -- Name: vault; Type: SCHEMA; Schema: -; Owner: - + -- + CREATE SCHEMA vault; + -- + -- Name: supabase_vault; Type: EXTENSION; Schema: -; Owner: - + -- --- --- Name: EXTENSION supabase_vault; Type: COMMENT; Schema: -; Owner: - --- + CREATE EXTENSION IF NOT EXISTS supabase_vault WITH SCHEMA vault; + + + -- + -- Name: EXTENSION supabase_vault; Type: COMMENT; Schema: -; Owner: - + -- + + COMMENT ON EXTENSION supabase_vault IS 'Supabase Vault Extension'; -COMMENT ON EXTENSION supabase_vault IS 'Supabase Vault Extension'; + END IF; +END $$; -- @@ -577,23 +593,38 @@ $$; -- Name: secrets_encrypt_secret_secret(); Type: FUNCTION; Schema: vault; Owner: - -- -CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger - LANGUAGE plpgsql - AS $$ - BEGIN - new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE - CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode( - pgsodium.crypto_aead_det_encrypt( - pg_catalog.convert_to(new.secret, 'utf8'), - pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'), - new.key_id::uuid, - new.nonce - ), - 'base64') END END; - RETURN new; - END; - $$; +DO $$ +DECLARE + vault_exists boolean; +BEGIN + vault_exists = ( + select count(*) = 1 + from pg_available_extensions + where name = 'supabase_vault' + ); + + IF vault_exists + THEN + + CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger + LANGUAGE plpgsql + AS $$ + BEGIN + new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE + CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode( + pgsodium.crypto_aead_det_encrypt( + pg_catalog.convert_to(new.secret, 'utf8'), + pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'), + new.key_id::uuid, + new.nonce + ), + 'base64') END END; + RETURN new; + END; + $$; + END IF; +END $$; SET default_tablespace = ''; @@ -785,25 +816,40 @@ CREATE TABLE storage.objects ( -- Name: decrypted_secrets; Type: VIEW; Schema: vault; Owner: - -- -CREATE VIEW vault.decrypted_secrets AS - SELECT secrets.id, - secrets.name, - secrets.description, - secrets.secret, - CASE - WHEN (secrets.secret IS NULL) THEN NULL::text - ELSE +DO $$ +DECLARE + vault_exists boolean; +BEGIN + vault_exists = ( + select count(*) = 1 + from pg_available_extensions + where name = 'supabase_vault' + ); + + IF vault_exists + THEN + + CREATE VIEW vault.decrypted_secrets AS + SELECT secrets.id, + secrets.name, + secrets.description, + secrets.secret, CASE - WHEN (secrets.key_id IS NULL) THEN NULL::text - ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secrets.secret, 'base64'::text), convert_to(((((secrets.id)::text || secrets.description) || (secrets.created_at)::text) || (secrets.updated_at)::text), 'utf8'::name), secrets.key_id, secrets.nonce), 'utf8'::name) - END - END AS decrypted_secret, - secrets.key_id, - secrets.nonce, - secrets.created_at, - secrets.updated_at - FROM vault.secrets; + WHEN (secrets.secret IS NULL) THEN NULL::text + ELSE + CASE + WHEN (secrets.key_id IS NULL) THEN NULL::text + ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secrets.secret, 'base64'::text), convert_to(((((secrets.id)::text || secrets.description) || (secrets.created_at)::text) || (secrets.updated_at)::text), 'utf8'::name), secrets.key_id, secrets.nonce), 'utf8'::name) + END + END AS decrypted_secret, + secrets.key_id, + secrets.nonce, + secrets.created_at, + secrets.updated_at + FROM vault.secrets; + END IF; +END $$; -- -- Name: refresh_tokens id; Type: DEFAULT; Schema: auth; Owner: - From 302356273cf7144ab997407ea5c6d7add1c40b88 Mon Sep 17 00:00:00 2001 From: dragarcia Date: Thu, 6 Apr 2023 15:28:17 +0800 Subject: [PATCH 10/12] chore: revert changes --- migrations/schema.sql | 142 ++++++++++++++---------------------------- 1 file changed, 48 insertions(+), 94 deletions(-) diff --git a/migrations/schema.sql b/migrations/schema.sql index fed524a62..5bb4b15b0 100644 --- a/migrations/schema.sql +++ b/migrations/schema.sql @@ -78,6 +78,14 @@ CREATE SCHEMA realtime; CREATE SCHEMA storage; + +-- +-- Name: vault; Type: SCHEMA; Schema: -; Owner: - +-- + +CREATE SCHEMA vault; + + -- -- Name: pg_graphql; Type: EXTENSION; Schema: -; Owner: - -- @@ -133,43 +141,19 @@ CREATE EXTENSION IF NOT EXISTS pgjwt WITH SCHEMA extensions; COMMENT ON EXTENSION pgjwt IS 'JSON Web Token API for Postgresql'; + -- +-- Name: supabase_vault; Type: EXTENSION; Schema: -; Owner: - -- --- - -DO $$ -DECLARE - vault_exists boolean; -BEGIN - vault_exists = ( - select count(*) = 1 - from pg_available_extensions - where name = 'supabase_vault' - ); - - IF vault_exists - THEN - - -- - -- Name: vault; Type: SCHEMA; Schema: -; Owner: - - -- - CREATE SCHEMA vault; - -- - -- Name: supabase_vault; Type: EXTENSION; Schema: -; Owner: - - -- +CREATE EXTENSION IF NOT EXISTS supabase_vault WITH SCHEMA vault; - CREATE EXTENSION IF NOT EXISTS supabase_vault WITH SCHEMA vault; +-- +-- Name: EXTENSION supabase_vault; Type: COMMENT; Schema: -; Owner: - +-- - -- - -- Name: EXTENSION supabase_vault; Type: COMMENT; Schema: -; Owner: - - -- - - COMMENT ON EXTENSION supabase_vault IS 'Supabase Vault Extension'; - - END IF; -END $$; +COMMENT ON EXTENSION supabase_vault IS 'Supabase Vault Extension'; -- @@ -593,38 +577,23 @@ $$; -- Name: secrets_encrypt_secret_secret(); Type: FUNCTION; Schema: vault; Owner: - -- -DO $$ -DECLARE - vault_exists boolean; -BEGIN - vault_exists = ( - select count(*) = 1 - from pg_available_extensions - where name = 'supabase_vault' - ); - - IF vault_exists - THEN - - CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger - LANGUAGE plpgsql - AS $$ - BEGIN - new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE - CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode( - pgsodium.crypto_aead_det_encrypt( - pg_catalog.convert_to(new.secret, 'utf8'), - pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'), - new.key_id::uuid, - new.nonce - ), - 'base64') END END; - RETURN new; - END; - $$; +CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger + LANGUAGE plpgsql + AS $$ + BEGIN + new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE + CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode( + pgsodium.crypto_aead_det_encrypt( + pg_catalog.convert_to(new.secret, 'utf8'), + pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'), + new.key_id::uuid, + new.nonce + ), + 'base64') END END; + RETURN new; + END; + $$; - END IF; -END $$; SET default_tablespace = ''; @@ -816,40 +785,25 @@ CREATE TABLE storage.objects ( -- Name: decrypted_secrets; Type: VIEW; Schema: vault; Owner: - -- -DO $$ -DECLARE - vault_exists boolean; -BEGIN - vault_exists = ( - select count(*) = 1 - from pg_available_extensions - where name = 'supabase_vault' - ); - - IF vault_exists - THEN - - CREATE VIEW vault.decrypted_secrets AS - SELECT secrets.id, - secrets.name, - secrets.description, - secrets.secret, +CREATE VIEW vault.decrypted_secrets AS + SELECT secrets.id, + secrets.name, + secrets.description, + secrets.secret, + CASE + WHEN (secrets.secret IS NULL) THEN NULL::text + ELSE CASE - WHEN (secrets.secret IS NULL) THEN NULL::text - ELSE - CASE - WHEN (secrets.key_id IS NULL) THEN NULL::text - ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secrets.secret, 'base64'::text), convert_to(((((secrets.id)::text || secrets.description) || (secrets.created_at)::text) || (secrets.updated_at)::text), 'utf8'::name), secrets.key_id, secrets.nonce), 'utf8'::name) - END - END AS decrypted_secret, - secrets.key_id, - secrets.nonce, - secrets.created_at, - secrets.updated_at - FROM vault.secrets; + WHEN (secrets.key_id IS NULL) THEN NULL::text + ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secrets.secret, 'base64'::text), convert_to(((((secrets.id)::text || secrets.description) || (secrets.created_at)::text) || (secrets.updated_at)::text), 'utf8'::name), secrets.key_id, secrets.nonce), 'utf8'::name) + END + END AS decrypted_secret, + secrets.key_id, + secrets.nonce, + secrets.created_at, + secrets.updated_at + FROM vault.secrets; - END IF; -END $$; -- -- Name: refresh_tokens id; Type: DEFAULT; Schema: auth; Owner: - From d455bbfa08517532039f10e690205cbe7b42e15b Mon Sep 17 00:00:00 2001 From: dragarcia Date: Thu, 6 Apr 2023 15:41:00 +0800 Subject: [PATCH 11/12] chore: safeguard both pgsodium and vault --- ...221207154255_create_pgsodium_and_vault.sql | 37 +++++++++++-------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql b/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql index 813acb18e..ede303451 100644 --- a/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql +++ b/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql @@ -1,32 +1,39 @@ -- migrate:up -create extension if not exists pgsodium; - -grant pgsodium_keyiduser to postgres with admin option; -grant pgsodium_keyholder to postgres with admin option; -grant pgsodium_keymaker to postgres with admin option; - -grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, bytea) to service_role; -grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role; -grant execute on function pgsodium.crypto_aead_det_keygen to service_role; - --- Only install as well if the extension is actually installed DO $$ DECLARE + pgsodium_exists boolean; vault_exists boolean; BEGIN + pgsodium_exists = ( + select count(*) = 1 + from pg_available_extensions + where name = 'pgsodium' + ); + vault_exists = ( select count(*) = 1 from pg_available_extensions where name = 'supabase_vault' ); - IF vault_exists + IF pgsodium_exists THEN - create extension if not exists supabase_vault; - END IF; -END $$; + create extension if not exists pgsodium; + + grant pgsodium_keyiduser to postgres with admin option; + grant pgsodium_keyholder to postgres with admin option; + grant pgsodium_keymaker to postgres with admin option; + grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, bytea) to service_role; + grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role; + grant execute on function pgsodium.crypto_aead_det_keygen to service_role; + IF vault_exists + THEN + create extension if not exists supabase_vault; + END IF; + END IF; +END $$; -- migrate:down From ebc72e2dd3fca8e84b27976f84e639962d49b033 Mon Sep 17 00:00:00 2001 From: dragarcia Date: Thu, 6 Apr 2023 15:50:39 +0800 Subject: [PATCH 12/12] chore: bump version --- common.vars.pkr.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common.vars.pkr.hcl b/common.vars.pkr.hcl index fe9e2d0af..55bdce82d 100644 --- a/common.vars.pkr.hcl +++ b/common.vars.pkr.hcl @@ -1 +1 @@ -postgres-version = "15.1.0.66" +postgres-version = "15.1.0.67"