Skip to content

Commit 4a7790c

Browse files
pcncsoedirgo
pcnc
authored and
soedirgo
committed
fix: revert migrations
1 parent 1559c2d commit 4a7790c

File tree

6 files changed

+180
-17
lines changed

6 files changed

+180
-17
lines changed

migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
-- migrate:up
2+
3+
DO $$
4+
DECLARE
5+
pgsodium_exists boolean;
6+
vault_exists boolean;
7+
BEGIN
8+
pgsodium_exists = (
9+
select count(*) = 1
10+
from pg_available_extensions
11+
where name = 'pgsodium'
12+
and default_version in ('3.1.6', '3.1.7', '3.1.8', '3.1.9')
13+
);
14+
15+
vault_exists = (
16+
select count(*) = 1
17+
from pg_available_extensions
18+
where name = 'supabase_vault'
19+
);
20+
21+
IF pgsodium_exists
22+
THEN
23+
create extension if not exists pgsodium;
24+
25+
grant pgsodium_keyiduser to postgres with admin option;
26+
grant pgsodium_keyholder to postgres with admin option;
27+
grant pgsodium_keymaker to postgres with admin option;
28+
29+
grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, bytea) to service_role;
30+
grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role;
31+
grant execute on function pgsodium.crypto_aead_det_keygen to service_role;
32+
33+
IF vault_exists
34+
THEN
35+
create extension if not exists supabase_vault;
36+
END IF;
37+
END IF;
38+
END $$;
39+
40+
-- migrate:down

migrations/db/migrations/20221207154255_create_vault.sql

Lines changed: 0 additions & 17 deletions
This file was deleted.

migrations/db/migrations/20230529180330_alter_api_roles_for_inherit.sql

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,5 +4,7 @@ ALTER ROLE authenticated inherit;
44
ALTER ROLE anon inherit;
55
ALTER ROLE service_role inherit;
66

7+
GRANT pgsodium_keyholder to service_role;
8+
79
-- migrate:down
810

migrations/schema-15.sql

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,27 @@ CREATE SCHEMA graphql_public;
4444
CREATE SCHEMA pgbouncer;
4545

4646

47+
--
48+
-- Name: pgsodium; Type: SCHEMA; Schema: -; Owner: -
49+
--
50+
51+
CREATE SCHEMA pgsodium;
52+
53+
54+
--
55+
-- Name: pgsodium; Type: EXTENSION; Schema: -; Owner: -
56+
--
57+
58+
CREATE EXTENSION IF NOT EXISTS pgsodium WITH SCHEMA pgsodium;
59+
60+
61+
--
62+
-- Name: EXTENSION pgsodium; Type: COMMENT; Schema: -; Owner: -
63+
--
64+
65+
COMMENT ON EXTENSION pgsodium IS 'Pgsodium is a modern cryptography library for Postgres.';
66+
67+
4768
--
4869
-- Name: realtime; Type: SCHEMA; Schema: -; Owner: -
4970
--
@@ -553,6 +574,28 @@ END
553574
$$;
554575

555576

577+
--
578+
-- Name: secrets_encrypt_secret_secret(); Type: FUNCTION; Schema: vault; Owner: -
579+
--
580+
581+
CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger
582+
LANGUAGE plpgsql
583+
AS $$
584+
BEGIN
585+
new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE
586+
CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode(
587+
pgsodium.crypto_aead_det_encrypt(
588+
pg_catalog.convert_to(new.secret, 'utf8'),
589+
pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'),
590+
new.key_id::uuid,
591+
new.nonce
592+
),
593+
'base64') END END;
594+
RETURN new;
595+
END;
596+
$$;
597+
598+
556599
SET default_tablespace = '';
557600

558601
SET default_table_access_method = heap;
@@ -739,6 +782,30 @@ CREATE TABLE storage.objects (
739782
);
740783

741784

785+
--
786+
-- Name: decrypted_secrets; Type: VIEW; Schema: vault; Owner: -
787+
--
788+
789+
CREATE VIEW vault.decrypted_secrets AS
790+
SELECT secrets.id,
791+
secrets.name,
792+
secrets.description,
793+
secrets.secret,
794+
CASE
795+
WHEN (secrets.secret IS NULL) THEN NULL::text
796+
ELSE
797+
CASE
798+
WHEN (secrets.key_id IS NULL) THEN NULL::text
799+
ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secrets.secret, 'base64'::text), convert_to(((((secrets.id)::text || secrets.description) || (secrets.created_at)::text) || (secrets.updated_at)::text), 'utf8'::name), secrets.key_id, secrets.nonce), 'utf8'::name)
800+
END
801+
END AS decrypted_secret,
802+
secrets.key_id,
803+
secrets.nonce,
804+
secrets.created_at,
805+
secrets.updated_at
806+
FROM vault.secrets;
807+
808+
742809
--
743810
-- Name: refresh_tokens id; Type: DEFAULT; Schema: auth; Owner: -
744811
--

migrations/schema-orioledb-17.sql

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,27 @@ CREATE SCHEMA graphql_public;
4545
CREATE SCHEMA pgbouncer;
4646

4747

48+
--
49+
-- Name: pgsodium; Type: SCHEMA; Schema: -; Owner: -
50+
--
51+
52+
CREATE SCHEMA pgsodium;
53+
54+
55+
--
56+
-- Name: pgsodium; Type: EXTENSION; Schema: -; Owner: -
57+
--
58+
59+
CREATE EXTENSION IF NOT EXISTS pgsodium WITH SCHEMA pgsodium;
60+
61+
62+
--
63+
-- Name: EXTENSION pgsodium; Type: COMMENT; Schema: -; Owner: -
64+
--
65+
66+
COMMENT ON EXTENSION pgsodium IS 'Pgsodium is a modern cryptography library for Postgres.';
67+
68+
4869
--
4970
-- Name: realtime; Type: SCHEMA; Schema: -; Owner: -
5071
--
@@ -568,6 +589,28 @@ END
568589
$$;
569590

570591

592+
--
593+
-- Name: secrets_encrypt_secret_secret(); Type: FUNCTION; Schema: vault; Owner: -
594+
--
595+
596+
CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger
597+
LANGUAGE plpgsql
598+
AS $$
599+
BEGIN
600+
new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE
601+
CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode(
602+
pgsodium.crypto_aead_det_encrypt(
603+
pg_catalog.convert_to(new.secret, 'utf8'),
604+
pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'),
605+
new.key_id::uuid,
606+
new.nonce
607+
),
608+
'base64') END END;
609+
RETURN new;
610+
END;
611+
$$;
612+
613+
571614
SET default_tablespace = '';
572615

573616
SET default_table_access_method = orioledb;
@@ -754,6 +797,30 @@ CREATE TABLE storage.objects (
754797
);
755798

756799

800+
--
801+
-- Name: decrypted_secrets; Type: VIEW; Schema: vault; Owner: -
802+
--
803+
804+
CREATE VIEW vault.decrypted_secrets AS
805+
SELECT id,
806+
name,
807+
description,
808+
secret,
809+
CASE
810+
WHEN (secret IS NULL) THEN NULL::text
811+
ELSE
812+
CASE
813+
WHEN (key_id IS NULL) THEN NULL::text
814+
ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secret, 'base64'::text), convert_to(((((id)::text || description) || (created_at)::text) || (updated_at)::text), 'utf8'::name), key_id, nonce), 'utf8'::name)
815+
END
816+
END AS decrypted_secret,
817+
key_id,
818+
nonce,
819+
created_at,
820+
updated_at
821+
FROM vault.secrets;
822+
823+
757824
--
758825
-- Name: refresh_tokens id; Type: DEFAULT; Schema: auth; Owner: -
759826
--

migrations/tests/database/privs.sql

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,10 @@ SELECT database_privs_are(
22
'postgres', 'postgres', ARRAY['CONNECT', 'TEMPORARY', 'CREATE']
33
);
44

5+
SELECT function_privs_are('pgsodium', 'crypto_aead_det_decrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
6+
SELECT function_privs_are('pgsodium', 'crypto_aead_det_encrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
7+
SELECT function_privs_are('pgsodium', 'crypto_aead_det_keygen', array[]::text[], 'service_role', array['EXECUTE']);
8+
59
-- Verify public schema privileges
610
SELECT schema_privs_are('public', 'postgres', array['CREATE', 'USAGE']);
711
SELECT schema_privs_are('public', 'anon', array['USAGE']);

0 commit comments

Comments
 (0)