Feat/pgsodium vault updates (#411)

* update release candidate ami for pgsodium and vault updates.

* update pgsodium and vault.

* update release candidate ami for pgsodium and vault updates.

* remove vault ami release.

* bump vault version.

* add pgsodium in migration file, not at ami creation point.

* spelled extension name wrong.

* remove pgsodium from docker init, add as migration script.

* make migration idempotent

* bump version

* fix schema check in tests

* add vault schema to tests

* fix extension dependencies after extension creation

* bump vault

Co-authored-by: Bobbie Soedirgo <[email protected]>
Co-authored-by: Qiao Han <[email protected]>

Author: 3 people

Dockerfile

@@ -33,7 +33,7 @@ ENV LC_ALL en_US.UTF-8
 
 COPY ansible/files/pgbouncer_config/pgbouncer_auth_schema.sql /docker-entrypoint-initdb.d/00-schema.sql
 COPY ansible/files/stat_extension.sql /docker-entrypoint-initdb.d/01-extension.sql
-COPY ansible/files/sodium_extension.sql /docker-entrypoint-initdb.d/02-sodium-extension.sql
+# COPY ansible/files/sodium_extension.sql /docker-entrypoint-initdb.d/02-sodium-extension.sql
 COPY migrations/db/ /docker-entrypoint-initdb.d/
 
 CMD ["postgres", "-c", "config_file=/etc/postgresql/postgresql.conf"]

README.md

@@ -28,7 +28,7 @@ Unmodified Postgres with some useful plugins. Our goal with this repo is not to
 | [pg_net](https://github.com/supabase/pg_net) | [v0.6.1](https://github.com/supabase/pg_net/releases/tag/v0.6.1) | Expose the SQL interface for async networking. |
 | [rum](https://github.com/postgrespro/rum) | [1.3.13](https://github.com/postgrespro/rum/releases/tag/1.3.13) | An alternative to the GIN index. |
 | [pg_hashids](https://github.com/iCyberon/pg_hashids) | [commit](https://github.com/iCyberon/pg_hashids/commit/83398bcbb616aac2970f5e77d93a3200f0f28e74) | Generate unique identifiers from numbers. |
-| [pgsodium](https://github.com/michelp/pgsodium) | [2.0.0](https://github.com/michelp/pgsodium/releases/tag/2.0.0) | Modern encryption API using libsodium. |
+| [pgsodium](https://github.com/michelp/pgsodium) | [3.1.0](https://github.com/michelp/pgsodium/releases/tag/2.0.0) | Modern encryption API using libsodium. |
 | [pg_stat_monitor](https://github.com/percona/pg_stat_monitor) | [1.0.1](https://github.com/percona/pg_stat_monitor/releases/tag/1.0.1) | Query Performance Monitoring Tool for PostgreSQL
 
 

ansible/playbook.yml

@@ -14,7 +14,6 @@
           dest: "00-schema.sql",
         }
       - { source: "stat_extension.sql", dest: "01-extension.sql" }
-      - { source: "sodium_extension.sql", dest: "02-sodium-extension.sql" }
 
   environment:
     PATH: /usr/lib/postgresql/bin:{{ ansible_env.PATH }}

ansible/tasks/setup-extensions.yml

@@ -64,8 +64,8 @@
 - name: Install auto_explain
   import_tasks: tasks/postgres-extensions/21-auto_explain.yml
 
-# - name: Install vault
-#   import_tasks: tasks/postgres-extensions/23-vault.yml
+- name: Install vault
+  import_tasks: tasks/postgres-extensions/23-vault.yml
 
 - name: Install PGroonga
   import_tasks: tasks/postgres-extensions/24-pgroonga.yml

ansible/vars.yml

@@ -95,17 +95,17 @@ vector_arm_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_arm64.
 libsodium_release: "1.0.18"
 libsodium_release_checksum: sha1:795b73e3f92a362fabee238a71735579bf46bb97
 
-pgsodium_release: "3.0.4"
-pgsodium_release_checksum: sha1:f08e9ac109ab5e6fc8b15ea21b26f88f451a2070
+pgsodium_release: "3.1.0"
+pgsodium_release_checksum: sha1:b77c384e2908064dca136f87163d011cd56edd54
 
 pg_graphql_release: "v1.0.0"
 
 pg_jsonschema_release: "v0.1.3"
 
 pg_stat_monitor_release: "1.1.1"
 
-vault_release: "0.0.1"
-vault_release_checksum: sha1:a5ea3356c6f41985b2bef67b6a0491d4ffa99816
+vault_release: "0.2.3"
+vault_release_checksum: sha256:463cea027d19edda1f4e8025180db0a90535233cb9edd850d6d153aad8f609d1
 
 groonga_release: "12.0.8"
 groonga_release_checksum: sha1:32aee787efffc2a22760fde946fb6462286074e2

common.vars.pkr.hcl

@@ -1 +1 @@
-postgres-version = "15.1.0.2"
+postgres-version = "15.1.0.3-rc0"

migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql

@@ -0,0 +1,24 @@
+-- migrate:up
+
+create extension if not exists pgsodium;
+
+grant pgsodium_keyiduser to postgres with admin option;
+grant pgsodium_keyholder to postgres with admin option;
+grant pgsodium_keymaker  to postgres with admin option;
+
+do $$
+begin
+  if not exists (select from pg_extension where extname = 'supabase_vault') then
+    create extension supabase_vault;
+    -- Creating the extension creates a table and creates a security label on the table.
+    -- Creating the security label triggers a function that recreates these objects.
+    -- Since the recreation happens in an extension script, these objects become owned by the `supabase_vault` extension.
+    -- This is an issue because then we can't recreate these objects without also dropping the extension.
+    -- Thus we drop the dependency on the `supabase_vault` extension for these objects.
+    alter extension supabase_vault drop view pgsodium.decrypted_key;
+    alter extension supabase_vault drop function pgsodium.key_encrypt_secret;
+  end if;
+end;
+$$;
+
+-- migrate:down

migrations/tests/database/exists.sql

@@ -3,8 +3,8 @@ SELECT schemas_are(ARRAY[
   'public',
   'auth',
   'extensions',
-  'graphql',
   'graphql_public',
   'realtime',
-  'storage'
+  'storage',
+  'vault'
  ]);