sorokinvld
diff --git a/‎ansible/files/postgresql_config/supautils.conf.j2
Lines changed: 1 addition & 0 deletions b/‎ansible/files/postgresql_config/supautils.conf.j2
Lines changed: 1 addition & 0 deletions
diff --git a/‎ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql
Lines changed: 4 additions & 0 deletions b/‎ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql
Lines changed: 4 additions & 0 deletions
diff --git a/‎ansible/tasks/internal/supautils.yml
Lines changed: 9 additions & 0 deletions b/‎ansible/tasks/internal/supautils.yml
Lines changed: 9 additions & 0 deletions
diff --git a/‎common.vars.pkr.hcl
Lines changed: 1 addition & 1 deletion b/‎common.vars.pkr.hcl
Lines changed: 1 addition & 1 deletion
diff --git a/‎ebssurrogate/files/unit-tests/unit-test-01.sql
Lines changed: 7 additions & 1 deletion b/‎ebssurrogate/files/unit-tests/unit-test-01.sql
Lines changed: 7 additions & 1 deletion
diff --git a/‎migrations/schema.sql
Lines changed: 0 additions & 48 deletions b/‎migrations/schema.sql
Lines changed: 0 additions & 48 deletions
@@ -4,6 +4,7 @@ supautils.placeholders_disallowed_values = '"content-type"'
 # omitted because may be unsafe:             adminpack, amcheck, file_fdw, lo, old_snapshot, pageinspect, pg_buffercache, pg_freespacemap, pg_prewarm, pg_surgery, pg_visibility, pgstattuple
 # omitted because deprecated:                intagg, xml2
 supautils.privileged_extensions = 'address_standardizer, address_standardizer_data_us, autoinc, bloom, btree_gin, btree_gist, citext, cube, dblink, dict_int, dict_xsyn, earthdistance, fuzzystrmatch, hstore, http, insert_username, intarray, isn, ltree, moddatetime, pg_cron, pg_graphql, pg_hashids, pg_jsonschema, pg_net, pg_stat_monitor, pg_stat_statements, pg_trgm, pg_walinspect, pgaudit, pgcrypto, pgjwt, pgroonga, pgroonga_database, pgrouting, pgrowlocks, pgsodium, pgtap, plcoffee, pljava, plls, plpgsql, plpgsql_check, plv8, postgis, postgis_raster, postgis_sfcgal, postgis_tiger_geocoder, postgis_topology, postgres_fdw, refint, rum, seg, sslinfo, supabase_vault, supautils, tablefunc, tcn, timescaledb, tsm_system_rows, tsm_system_time, unaccent, uuid-ossp, wrappers'
+supautils.privileged_extensions_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
 supautils.privileged_extensions_superuser = 'supabase_admin'
 supautils.privileged_role = 'postgres'
 supautils.privileged_role_allowed_configs = 'pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, session_replication_role, track_io_timing'
 
@@ -0,0 +1,4 @@
+grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, bytea) to service_role;
+grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role;
+grant execute on function pgsodium.crypto_aead_det_keygen to service_role;
+grant execute on function pgsodium.crypto_aead_det_noncegen to service_role;
@@ -47,6 +47,15 @@
     owner: postgres
     group: postgres
 
+- name: supautils - copy extension custom scripts
+  copy:
+    src: files/postgresql_extension_custom_scripts
+    dest: /etc/postgresql-custom/extension-custom-scripts
+    mode: 0664
+    owner: postgres
+    group: postgres
+  become: yes
+
 - name: supautils - include /etc/postgresql-custom/supautils.conf in postgresql.conf
   become: yes
   replace:
 
@@ -1 +1 @@
-postgres-version = "15.1.0.13"
+postgres-version = "15.1.0.14"
@@ -1,5 +1,5 @@
 BEGIN;
-SELECT plan( 5 );
+SELECT plan(9);
 
 -- Check installed extensions
 SELECT extensions_are(
@@ -23,5 +23,11 @@ SELECT has_schema('pg_catalog');
 SELECT has_schema('information_schema');
 SELECT has_schema('public');
 
+-- Check that service_role can execute certain pgsodium functions
+SELECT function_privs_are('pgsodium', 'crypto_aead_det_decrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE'])
+SELECT function_privs_are('pgsodium', 'crypto_aead_det_encrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE'])
+SELECT function_privs_are('pgsodium', 'crypto_aead_det_keygen', array[], 'service_role', array['EXECUTE'])
+SELECT function_privs_are('pgsodium', 'crypto_aead_det_noncegen', array[], 'service_role', array['EXECUTE'])
+
 SELECT * from finish();
 ROLLBACK;
@@ -510,25 +510,6 @@ END;
 $$;
 
 
---
--- Name: key_encrypt_secret(); Type: FUNCTION; Schema: pgsodium; Owner: -
---
-
-CREATE FUNCTION pgsodium.key_encrypt_secret() RETURNS trigger
-    LANGUAGE plpgsql
-    AS $$
-    BEGIN
-            new.raw_key = CASE WHEN new.raw_key IS NULL THEN NULL ELSE
-                CASE WHEN new.parent_key IS NULL THEN NULL ELSE
-                        pgsodium.crypto_aead_det_encrypt(new.raw_key::bytea, pg_catalog.convert_to((new.id::text || new.associated_data::text)::text, 'utf8'),
-                new.parent_key::uuid,
-                new.raw_key_nonce
-              ) END END;
-    RETURN new;
-    END;
-    $$;
-
-
 --
 -- Name: extension(text); Type: FUNCTION; Schema: storage; Owner: -
 --
@@ -754,35 +735,6 @@ CREATE TABLE auth.users (
 COMMENT ON TABLE auth.users IS 'Auth: Stores user login data within a secure schema.';
 
 
---
--- Name: decrypted_key; Type: VIEW; Schema: pgsodium; Owner: -
---
-
-CREATE VIEW pgsodium.decrypted_key AS
- SELECT key.id,
-    key.status,
-    key.created,
-    key.expires,
-    key.key_type,
-    key.key_id,
-    key.key_context,
-    key.name,
-    key.associated_data,
-    key.raw_key,
-        CASE
-            WHEN (key.raw_key IS NULL) THEN NULL::bytea
-            ELSE
-            CASE
-                WHEN (key.parent_key IS NULL) THEN NULL::bytea
-                ELSE pgsodium.crypto_aead_det_decrypt(key.raw_key, convert_to(((key.id)::text || key.associated_data), 'utf8'::name), key.parent_key, key.raw_key_nonce)
-            END
-        END AS decrypted_raw_key,
-    key.raw_key_nonce,
-    key.parent_key,
-    key.comment
-   FROM pgsodium.key;
-
-
 --
 -- Name: schema_migrations; Type: TABLE; Schema: public; Owner: -
 --
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-postgres-version = "15.1.0.13"`
	`1`	`+postgres-version = "15.1.0.14"`