Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: revert migrations #1441

Merged
merged 1 commit into from
Feb 12, 2025
Merged

fix: revert migrations #1441

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
-- migrate:up

DO $$
DECLARE
pgsodium_exists boolean;
vault_exists boolean;
BEGIN
pgsodium_exists = (
select count(*) = 1
from pg_available_extensions
where name = 'pgsodium'
and default_version in ('3.1.6', '3.1.7', '3.1.8', '3.1.9')
);

vault_exists = (
select count(*) = 1
from pg_available_extensions
where name = 'supabase_vault'
);

IF pgsodium_exists
THEN
create extension if not exists pgsodium;

grant pgsodium_keyiduser to postgres with admin option;
grant pgsodium_keyholder to postgres with admin option;
grant pgsodium_keymaker to postgres with admin option;

grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, bytea) to service_role;
grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role;
grant execute on function pgsodium.crypto_aead_det_keygen to service_role;

IF vault_exists
THEN
create extension if not exists supabase_vault;
END IF;
END IF;
END $$;

-- migrate:down
17 changes: 0 additions & 17 deletions migrations/db/migrations/20221207154255_create_vault.sql
View file
Open in desktop

This file was deleted.

2 changes: 2 additions & 0 deletions migrations/db/migrations/20230529180330_alter_api_roles_for_inherit.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,7 @@ ALTER ROLE authenticated inherit;
ALTER ROLE anon inherit;
ALTER ROLE service_role inherit;

GRANT pgsodium_keyholder to service_role;

-- migrate:down

67 changes: 67 additions & 0 deletions migrations/schema-15.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,27 @@ CREATE SCHEMA graphql_public;
CREATE SCHEMA pgbouncer;


--
-- Name: pgsodium; Type: SCHEMA; Schema: -; Owner: -
--

CREATE SCHEMA pgsodium;


--
-- Name: pgsodium; Type: EXTENSION; Schema: -; Owner: -
--

CREATE EXTENSION IF NOT EXISTS pgsodium WITH SCHEMA pgsodium;


--
-- Name: EXTENSION pgsodium; Type: COMMENT; Schema: -; Owner: -
--

COMMENT ON EXTENSION pgsodium IS 'Pgsodium is a modern cryptography library for Postgres.';


--
-- Name: realtime; Type: SCHEMA; Schema: -; Owner: -
--
Expand Down Expand Up @@ -553,6 +574,28 @@ END
$$;


--
-- Name: secrets_encrypt_secret_secret(); Type: FUNCTION; Schema: vault; Owner: -
--

CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger
LANGUAGE plpgsql
AS $$
BEGIN
new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE
CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode(
pgsodium.crypto_aead_det_encrypt(
pg_catalog.convert_to(new.secret, 'utf8'),
pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'),
new.key_id::uuid,
new.nonce
),
'base64') END END;
RETURN new;
END;
$$;


SET default_tablespace = '';

SET default_table_access_method = heap;
Expand Down Expand Up @@ -739,6 +782,30 @@ CREATE TABLE storage.objects (
);


--
-- Name: decrypted_secrets; Type: VIEW; Schema: vault; Owner: -
--

CREATE VIEW vault.decrypted_secrets AS
SELECT secrets.id,
secrets.name,
secrets.description,
secrets.secret,
CASE
WHEN (secrets.secret IS NULL) THEN NULL::text
ELSE
CASE
WHEN (secrets.key_id IS NULL) THEN NULL::text
ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secrets.secret, 'base64'::text), convert_to(((((secrets.id)::text || secrets.description) || (secrets.created_at)::text) || (secrets.updated_at)::text), 'utf8'::name), secrets.key_id, secrets.nonce), 'utf8'::name)
END
END AS decrypted_secret,
secrets.key_id,
secrets.nonce,
secrets.created_at,
secrets.updated_at
FROM vault.secrets;


--
-- Name: refresh_tokens id; Type: DEFAULT; Schema: auth; Owner: -
--
Expand Down
67 changes: 67 additions & 0 deletions migrations/schema-orioledb-17.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,27 @@ CREATE SCHEMA graphql_public;
CREATE SCHEMA pgbouncer;


--
-- Name: pgsodium; Type: SCHEMA; Schema: -; Owner: -
--

CREATE SCHEMA pgsodium;


--
-- Name: pgsodium; Type: EXTENSION; Schema: -; Owner: -
--

CREATE EXTENSION IF NOT EXISTS pgsodium WITH SCHEMA pgsodium;


--
-- Name: EXTENSION pgsodium; Type: COMMENT; Schema: -; Owner: -
--

COMMENT ON EXTENSION pgsodium IS 'Pgsodium is a modern cryptography library for Postgres.';


--
-- Name: realtime; Type: SCHEMA; Schema: -; Owner: -
--
Expand Down Expand Up @@ -568,6 +589,28 @@ END
$$;


--
-- Name: secrets_encrypt_secret_secret(); Type: FUNCTION; Schema: vault; Owner: -
--

CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger
LANGUAGE plpgsql
AS $$
BEGIN
new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE
CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode(
pgsodium.crypto_aead_det_encrypt(
pg_catalog.convert_to(new.secret, 'utf8'),
pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'),
new.key_id::uuid,
new.nonce
),
'base64') END END;
RETURN new;
END;
$$;


SET default_tablespace = '';

SET default_table_access_method = orioledb;
Expand Down Expand Up @@ -754,6 +797,30 @@ CREATE TABLE storage.objects (
);


--
-- Name: decrypted_secrets; Type: VIEW; Schema: vault; Owner: -
--

CREATE VIEW vault.decrypted_secrets AS
SELECT id,
name,
description,
secret,
CASE
WHEN (secret IS NULL) THEN NULL::text
ELSE
CASE
WHEN (key_id IS NULL) THEN NULL::text
ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secret, 'base64'::text), convert_to(((((id)::text || description) || (created_at)::text) || (updated_at)::text), 'utf8'::name), key_id, nonce), 'utf8'::name)
END
END AS decrypted_secret,
key_id,
nonce,
created_at,
updated_at
FROM vault.secrets;


--
-- Name: refresh_tokens id; Type: DEFAULT; Schema: auth; Owner: -
--
Expand Down
4 changes: 4 additions & 0 deletions migrations/tests/database/privs.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@ SELECT database_privs_are(
'postgres', 'postgres', ARRAY['CONNECT', 'TEMPORARY', 'CREATE']
);

SELECT function_privs_are('pgsodium', 'crypto_aead_det_decrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
SELECT function_privs_are('pgsodium', 'crypto_aead_det_encrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
SELECT function_privs_are('pgsodium', 'crypto_aead_det_keygen', array[]::text[], 'service_role', array['EXECUTE']);

-- Verify public schema privileges
SELECT schema_privs_are('public', 'postgres', array['CREATE', 'USAGE']);
SELECT schema_privs_are('public', 'anon', array['USAGE']);
Expand Down
Loading