From f7ce3e6b973996d1413d1004f4ac9eeeaec6b88d Mon Sep 17 00:00:00 2001 From: dragarcia Date: Wed, 29 Mar 2023 10:53:49 +0800 Subject: [PATCH 1/8] chore: re-enable Vault --- ansible/tasks/setup-extensions.yml | 4 +- .../files/unit-tests/unit-test-01.sql | 3 +- ...221207154255_create_pgsodium_and_vault.sql | 2 +- migrations/schema.sql | 67 +++++++++++++++++++ migrations/tests/extensions/test.sql | 2 +- 5 files changed, 73 insertions(+), 5 deletions(-) diff --git a/ansible/tasks/setup-extensions.yml b/ansible/tasks/setup-extensions.yml index 5e917d388..86af557f9 100644 --- a/ansible/tasks/setup-extensions.yml +++ b/ansible/tasks/setup-extensions.yml @@ -64,8 +64,8 @@ - name: Install auto_explain import_tasks: tasks/postgres-extensions/21-auto_explain.yml -# - name: Install vault -# import_tasks: tasks/postgres-extensions/23-vault.yml +- name: Install vault + import_tasks: tasks/postgres-extensions/23-vault.yml - name: Install PGroonga import_tasks: tasks/postgres-extensions/24-pgroonga.yml diff --git a/ebssurrogate/files/unit-tests/unit-test-01.sql b/ebssurrogate/files/unit-tests/unit-test-01.sql index 72ff06226..0feb70e8b 100644 --- a/ebssurrogate/files/unit-tests/unit-test-01.sql +++ b/ebssurrogate/files/unit-tests/unit-test-01.sql @@ -12,7 +12,8 @@ SELECT extensions_are( 'pg_graphql', 'pgcrypto', 'pgjwt', - 'uuid-ossp' + 'uuid-ossp', + 'supabase_vault' ] ); diff --git a/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql b/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql index 9a863bdaf..f30fee93e 100644 --- a/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql +++ b/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql @@ -10,6 +10,6 @@ grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, b grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role; grant execute on function pgsodium.crypto_aead_det_keygen to service_role; --- create extension if not exists supabase_vault; +create extension if not exists supabase_vault; -- migrate:down diff --git a/migrations/schema.sql b/migrations/schema.sql index 9d2d61205..fa10ba773 100644 --- a/migrations/schema.sql +++ b/migrations/schema.sql @@ -79,6 +79,13 @@ CREATE SCHEMA realtime; CREATE SCHEMA storage; +-- +-- Name: vault; Type: SCHEMA; Schema: -; Owner: - +-- + +CREATE SCHEMA vault; + + -- -- Name: pg_graphql; Type: EXTENSION; Schema: -; Owner: - -- @@ -135,6 +142,20 @@ CREATE EXTENSION IF NOT EXISTS pgjwt WITH SCHEMA extensions; COMMENT ON EXTENSION pgjwt IS 'JSON Web Token API for Postgresql'; +-- +-- Name: supabase_vault; Type: EXTENSION; Schema: -; Owner: - +-- + +CREATE EXTENSION IF NOT EXISTS supabase_vault WITH SCHEMA vault; + + +-- +-- Name: EXTENSION supabase_vault; Type: COMMENT; Schema: -; Owner: - +-- + +COMMENT ON EXTENSION supabase_vault IS 'Supabase Vault Extension'; + + -- -- Name: uuid-ossp; Type: EXTENSION; Schema: -; Owner: - -- @@ -552,6 +573,28 @@ END $$; +-- +-- Name: secrets_encrypt_secret_secret(); Type: FUNCTION; Schema: vault; Owner: - +-- + +CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger + LANGUAGE plpgsql + AS $$ + BEGIN + new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE + CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode( + pgsodium.crypto_aead_det_encrypt( + pg_catalog.convert_to(new.secret, 'utf8'), + pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'), + new.key_id::uuid, + new.nonce + ), + 'base64') END END; + RETURN new; + END; + $$; + + SET default_tablespace = ''; SET default_table_access_method = heap; @@ -738,6 +781,30 @@ CREATE TABLE storage.objects ( ); +-- +-- Name: decrypted_secrets; Type: VIEW; Schema: vault; Owner: - +-- + +CREATE VIEW vault.decrypted_secrets AS + SELECT secrets.id, + secrets.name, + secrets.description, + secrets.secret, + CASE + WHEN (secrets.secret IS NULL) THEN NULL::text + ELSE + CASE + WHEN (secrets.key_id IS NULL) THEN NULL::text + ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secrets.secret, 'base64'::text), convert_to(((((secrets.id)::text || secrets.description) || (secrets.created_at)::text) || (secrets.updated_at)::text), 'utf8'::name), secrets.key_id, secrets.nonce), 'utf8'::name) + END + END AS decrypted_secret, + secrets.key_id, + secrets.nonce, + secrets.created_at, + secrets.updated_at + FROM vault.secrets; + + -- -- Name: refresh_tokens id; Type: DEFAULT; Schema: auth; Owner: - -- diff --git a/migrations/tests/extensions/test.sql b/migrations/tests/extensions/test.sql index 47e8e107b..7e0d1f38d 100644 --- a/migrations/tests/extensions/test.sql +++ b/migrations/tests/extensions/test.sql @@ -21,7 +21,7 @@ \ir 20-pg_stat_monitor.sql \ir 21-auto_explain.sql \ir 22-pg_jsonschema.sql --- \ir 23-vault.sql +\ir 23-vault.sql \ir 24-pgroonga.sql \ir 25-wrappers.sql \ir 26-hypopg.sql From df42e1fb67f5fe9622825275224d445aa275b87d Mon Sep 17 00:00:00 2001 From: dragarcia Date: Wed, 29 Mar 2023 10:54:01 +0800 Subject: [PATCH 2/8] chore: bump version --- common.vars.pkr.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common.vars.pkr.hcl b/common.vars.pkr.hcl index 074f217b8..de698c107 100644 --- a/common.vars.pkr.hcl +++ b/common.vars.pkr.hcl @@ -1 +1 @@ -postgres-version = "15.1.0.62" +postgres-version = "15.1.0.63" From 2ab75b00b30e4ffc8e402e92b006ffee63b34d11 Mon Sep 17 00:00:00 2001 From: dragarcia Date: Wed, 29 Mar 2023 11:10:46 +0800 Subject: [PATCH 3/8] chore: version as rc --- common.vars.pkr.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common.vars.pkr.hcl b/common.vars.pkr.hcl index de698c107..1665bd0f4 100644 --- a/common.vars.pkr.hcl +++ b/common.vars.pkr.hcl @@ -1 +1 @@ -postgres-version = "15.1.0.63" +postgres-version = "15.1.0.63-rc" From 6d448b36b190fa14b03430b6c350bf28a1861847 Mon Sep 17 00:00:00 2001 From: dragarcia Date: Wed, 29 Mar 2023 11:42:05 +0800 Subject: [PATCH 4/8] fix: formatting --- migrations/schema.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/migrations/schema.sql b/migrations/schema.sql index fa10ba773..5bb4b15b0 100644 --- a/migrations/schema.sql +++ b/migrations/schema.sql @@ -581,7 +581,7 @@ CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger LANGUAGE plpgsql AS $$ BEGIN - new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE + new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode( pgsodium.crypto_aead_det_encrypt( pg_catalog.convert_to(new.secret, 'utf8'), From e9e48d4bcd3173eefe44f71440bc3ac2600932e0 Mon Sep 17 00:00:00 2001 From: dragarcia Date: Wed, 29 Mar 2023 11:56:31 +0800 Subject: [PATCH 5/8] chore: build test image from branch --- .github/workflows/ami-release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ami-release.yml b/.github/workflows/ami-release.yml index 79f6787de..f742ae264 100644 --- a/.github/workflows/ami-release.yml +++ b/.github/workflows/ami-release.yml @@ -4,6 +4,7 @@ on: push: branches: - develop + - drag/enable_vault paths: - '.github/workflows/ami-release.yml' - 'common.vars.pkr.hcl' From a3d9d788876254b163746d03829f5b1a95639d02 Mon Sep 17 00:00:00 2001 From: dragarcia Date: Tue, 4 Apr 2023 10:45:06 +0800 Subject: [PATCH 6/8] chore: trigger build --- common.vars.pkr.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common.vars.pkr.hcl b/common.vars.pkr.hcl index 1665bd0f4..4d571bb79 100644 --- a/common.vars.pkr.hcl +++ b/common.vars.pkr.hcl @@ -1 +1 @@ -postgres-version = "15.1.0.63-rc" +postgres-version = "15.1.0.65-rc" From c227c7b483a53b6718a9b91baeba8468fb5db072 Mon Sep 17 00:00:00 2001 From: dragarcia Date: Tue, 4 Apr 2023 20:59:53 +0800 Subject: [PATCH 7/8] chore: remove branch --- .github/workflows/ami-release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ami-release.yml b/.github/workflows/ami-release.yml index f742ae264..79f6787de 100644 --- a/.github/workflows/ami-release.yml +++ b/.github/workflows/ami-release.yml @@ -4,7 +4,6 @@ on: push: branches: - develop - - drag/enable_vault paths: - '.github/workflows/ami-release.yml' - 'common.vars.pkr.hcl' From 479a1ea789517dd439ec63ff7bb4d284a11c0842 Mon Sep 17 00:00:00 2001 From: dragarcia Date: Tue, 4 Apr 2023 21:01:17 +0800 Subject: [PATCH 8/8] chore: bump version --- common.vars.pkr.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common.vars.pkr.hcl b/common.vars.pkr.hcl index 4d571bb79..fee110082 100644 --- a/common.vars.pkr.hcl +++ b/common.vars.pkr.hcl @@ -1 +1 @@ -postgres-version = "15.1.0.65-rc" +postgres-version = "15.1.0.65"