Merge branch 'main' into feature/windows_port

Author: michelp

Dockerfile

@@ -27,7 +27,11 @@ RUN chown postgres:postgres /home/postgres
 
 RUN curl -s -L https://github.com/theory/pgtap/archive/v1.2.0.tar.gz | tar zxvf - && cd pgtap-1.2.0 && make && make install
 RUN curl -s -L https://download.libsodium.org/libsodium/releases/libsodium-1.0.18.tar.gz | tar zxvf - && cd libsodium-1.0.18 && ./configure && make check && make -j 4 install
-RUN cpan App::cpanminus && cpan TAP::Parser::SourceHandler::pgTAP
+RUN cpan App::cpanminus && cpan TAP::Parser::SourceHandler::pgTAP && cpan App::prove
+
+RUN git clone --depth 1 https://github.com/lacanoid/pgddl.git
+RUN cd pgddl && make && make install && cd ..
+
 RUN mkdir "/home/postgres/pgsodium"
 WORKDIR "/home/postgres/pgsodium"
 COPY . .

META.json

@@ -2,7 +2,7 @@
     "name": "pgsodium",
     "abstract": "Postgres extension for libsodium functions",
     "description": "pgsodium is a PostgreSQL extension that exposes modern libsodium based cryptographic functions to SQL.",
-    "version": "3.1.5",
+    "version": "3.1.9",
     "maintainer": [
         "Michel Pelletier <[email protected]>"
     ],
@@ -13,7 +13,7 @@
             "abstract": "Postgres extension for libsodium functions",
             "file": "src/pgsodium.h",
             "docfile": "README.md",
-            "version": "3.1.5"
+            "version": "3.1.9"
         }
     },
     "prereqs": {

example/tce.sql

@@ -10,7 +10,8 @@ CREATE SCHEMA "tce-example";
 SET search_path = "tce-example", pg_catalog;
 
 CREATE TABLE test (
-  secret text
+  secret text,
+  name text unique
 );
 
 CREATE TABLE test2 (
@@ -73,6 +74,6 @@ CREATE TABLE "tce-example"."bob-testt" (
 );
 
 SECURITY LABEL FOR pgsodium	ON COLUMN "bob-testt"."secret2-test" IS
-    'ENCRYPT WITH KEY COLUMN secret2_key_id-test ASSOCIATED (associated2-test) NONCE nonce2-test';
+    'ENCRYPT WITH KEY COLUMN secret2_key_id-test ASSOCIATED (associated2-test) NONCE nonce2-test SECURITY INVOKER';
 
 select pgsodium.update_masks(true);

pgsodium.control

@@ -1,5 +1,5 @@
 # pgsodium extension
 comment = 'Postgres extension for libsodium functions'
-default_version = '3.1.5'
+default_version = '3.1.9'
 relocatable = false
 schema = pgsodium

pgsodium_tapgen.pl

@@ -7,7 +7,7 @@
 use Getopt::Long;
 use File::Spec;
 
-my $PGSODIUM_VERSION = '3.1.5';
+my $PGSODIUM_VERSION = '3.1.7';
 
 my $curr;
 my $rs;
@@ -46,12 +46,15 @@
 
 ################################################################################
 
-print "BEGIN;\n",
-      "CREATE EXTENSION IF NOT EXISTS pgtap;\n",
-      "CREATE EXTENSION IF NOT EXISTS pgsodium;\n\n",
-      "SET search_path TO 'public';\n\n";
+print "SET search_path TO 'public';\n";
 
-print "SELECT plan(1); -- FIXME!\n";
+print "\n\n\n---- POSTGRESQL MINIMAL VERSION\n";
+print "SELECT cmp_ok("
+     ."current_setting('server_version_num')::int, "
+     ."'>=', "
+     ."130000, "
+     ."format('PostgreSQL version %s >= 13', current_setting('server_version'))"
+     .");\n";
 
 print "\n\n\n---- EXTENSION VERSION\n";
 
@@ -71,16 +74,15 @@
     WHERE refclassid = 'pg_catalog.pg_extension'::pg_catalog.regclass
       AND refobjid = (SELECT oid FROM pg_extension WHERE extname = 'pgsodium')
       AND deptype = 'e'
-    ORDER BY 1;
+    ORDER BY pg_catalog.pg_describe_object(classid, objid, 0) COLLATE "C"
 }) or die;
 
-print q{SELECT results_eq($$
+print q{SELECT bag_eq($$
   SELECT pg_catalog.pg_describe_object(classid, objid, 0)
   FROM pg_catalog.pg_depend
   WHERE refclassid = 'pg_catalog.pg_extension'::pg_catalog.regclass
     AND refobjid = (SELECT oid FROM pg_extension WHERE extname = 'pgsodium')
-    AND deptype = 'e'
-  ORDER BY 1$$,
+    AND deptype = 'e'$$,
   $$ VALUES
     }, join(",\n    ", @$rs), q{
   $$,
@@ -113,30 +115,27 @@
     printf "SELECT is_member_of( %s, %s );\n", $r->[0], $r->[1];
 }
 
+print "\n\n\n---- SCHEMAS\n\n";
+
 $rs = $dbh->selectall_arrayref(q{
     SELECT quote_literal(nspname),
       quote_literal(pg_catalog.pg_get_userbyid(nspowner))
     FROM pg_catalog.pg_namespace
-    WHERE nspname NOT IN ('pg_catalog', 'pg_toast', 'information_schema')
+    WHERE nspname NOT IN ('public', 'pg_catalog', 'pg_toast', 'information_schema')
     ORDER BY nspname
 }) or die;
 
-print "\n\n\n---- SCHEMAS\n\n";
-
-print "SELECT schemas_are(ARRAY[\n    ",
-      join(",\n    ", map {$_->[0]} @$rs),
-      "\n]);\n";
-
 foreach my $r ( @$rs ) {
-    printf "SELECT schema_owner_is(%-10s, %s);\n", @$r;
+    printf "SELECT has_schema(%s);\n", $r->[0];
+    printf "SELECT schema_owner_is(%s, %s);\n\n", @$r;
 }
 
 print "\n\n\n---- EVENT TRIGGERS\n\n";
 
 # pgtap doesn't support event triggers yet.
 $rs = $dbh->selectall_arrayref(q{
     SELECT quote_literal(evtname), quote_literal(evtevent),
-      quote_literal(evtenabled), ARRAY(SELECT quote_literal(unnest(evttags)) ORDER BY 1),
+      quote_literal(evtenabled::text), ARRAY(SELECT quote_literal(unnest(evttags)) ORDER BY 1),
       quote_literal(pg_catalog.pg_get_userbyid(evtowner)),
       quote_literal(evtfoid::regproc)
     FROM pg_catalog.pg_event_trigger
@@ -429,8 +428,6 @@
   "]);\n";
 }
 
-print "\n\nROLLBACK;\n";
-
 $dbh->rollback;
 
 exit;
@@ -528,6 +525,7 @@ sub privs_tests {
                 WHEN r.relkind = 'S' THEN has_sequence_privilege(a.oid, r.oid, s.p)
            END
        AND s.k = r.relkind
+       AND a.rolname NOT IN ('pg_read_all_data', 'pg_write_all_data')
      GROUP BY a.rolname, r.nspname, r.relname
      ORDER BY a.rolname}, undef, $schema, $tname);
 
@@ -542,7 +540,7 @@ sub privs_tests {
           ."FROM pg_catalog.pg_roles\n"
           ."WHERE rolname NOT IN (%s);\n",
           $type, $privs->[0][2], $privs->[0][3],
-          join(',',  map { $_->[0] } @$privs);
+          join(',', ("'pg_read_all_data'", "'pg_write_all_data'", map { $_->[0] } @$privs ));
 }
 
 sub idxs_tests {

sql/pgsodium--3.1.5--3.1.6.sql

@@ -0,0 +1,2 @@
+
+SELECT pg_catalog.pg_extension_config_dump('pgsodium.key_key_id_seq', '');

sql/pgsodium--3.1.6--3.1.7.sql

@@ -0,0 +1,181 @@
+CREATE OR REPLACE VIEW pgsodium.masking_rule AS
+  WITH const AS (
+    SELECT
+      'encrypt +with +key +id +([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})'
+        AS pattern_key_id,
+      'encrypt +with +key +column +([\w\"\-$]+)'
+        AS pattern_key_id_column,
+      '(?<=associated) +\(([\w\"\-$, ]+)\)'
+        AS pattern_associated_columns,
+      '(?<=nonce) +([\w\"\-$]+)'
+        AS pattern_nonce_column,
+      '(?<=decrypt with view) +([\w\"\-$]+\.[\w\"\-$]+)'
+        AS pattern_view_name,
+      '(?<=security invoker)'
+        AS pattern_security_invoker
+  ),
+  rules_from_seclabels AS (
+    SELECT
+      sl.objoid AS attrelid,
+      sl.objsubid  AS attnum,
+      c.relnamespace::regnamespace,
+      c.relname,
+      a.attname,
+      pg_catalog.format_type(a.atttypid, a.atttypmod),
+      sl.label AS col_description,
+      (regexp_match(sl.label, k.pattern_key_id_column, 'i'))[1] AS key_id_column,
+      (regexp_match(sl.label, k.pattern_key_id, 'i'))[1] AS key_id,
+      (regexp_match(sl.label, k.pattern_associated_columns, 'i'))[1] AS associated_columns,
+      (regexp_match(sl.label, k.pattern_nonce_column, 'i'))[1] AS nonce_column,
+      coalesce((regexp_match(sl2.label, k.pattern_view_name, 'i'))[1],
+               c.relnamespace::regnamespace || '.' || quote_ident('decrypted_' || c.relname)) AS view_name,
+      100 AS priority,
+      (regexp_match(sl.label, k.pattern_security_invoker, 'i'))[1] IS NOT NULL AS security_invoker
+      FROM const k,
+           pg_catalog.pg_seclabel sl
+           JOIN pg_catalog.pg_class c ON sl.classoid = c.tableoid AND sl.objoid = c.oid
+           JOIN pg_catalog.pg_attribute a ON a.attrelid = c.oid AND sl.objsubid = a.attnum
+           LEFT JOIN pg_catalog.pg_seclabel sl2 ON sl2.objoid = c.oid AND sl2.objsubid = 0
+     WHERE a.attnum > 0
+       AND c.relnamespace::regnamespace != 'pg_catalog'::regnamespace
+       AND NOT a.attisdropped
+       AND sl.label ilike 'ENCRYPT%'
+       AND sl.provider = 'pgsodium'
+  )
+  SELECT
+    DISTINCT ON (attrelid, attnum) *
+    FROM rules_from_seclabels
+   ORDER BY attrelid, attnum, priority DESC;
+
+CREATE OR REPLACE FUNCTION pgsodium.mask_role(masked_role regrole, source_name text, view_name text)
+  RETURNS void AS
+  $$
+BEGIN
+  EXECUTE format(
+    'GRANT SELECT ON pgsodium.key TO %s',
+    masked_role);
+
+  EXECUTE format(
+    'GRANT pgsodium_keyiduser, pgsodium_keyholder TO %s',
+    masked_role);
+
+  EXECUTE format(
+    'GRANT ALL ON %s TO %s',
+    view_name,
+    masked_role);
+  RETURN;
+END
+$$
+  LANGUAGE plpgsql
+  SECURITY DEFINER
+  SET search_path='pg_catalog'
+;
+
+CREATE OR REPLACE FUNCTION pgsodium.create_mask_view(relid oid, subid integer, debug boolean = false)
+    RETURNS void AS
+  $$
+DECLARE
+  m record;
+  body text;
+  source_name text;
+  view_owner regrole = session_user;
+  rule pgsodium.masking_rule;
+  privs aclitem[];
+  priv record;
+BEGIN
+  SELECT DISTINCT * INTO STRICT rule FROM pgsodium.masking_rule WHERE attrelid = relid AND attnum = subid;
+
+  source_name := relid::regclass::text;
+
+  BEGIN
+    SELECT relacl INTO STRICT privs FROM pg_catalog.pg_class WHERE oid = rule.view_name::regclass::oid;
+  EXCEPTION
+	WHEN undefined_table THEN
+      SELECT relacl INTO STRICT privs FROM pg_catalog.pg_class WHERE oid = relid;
+  END;
+
+  body = format(
+    $c$
+    DROP VIEW IF EXISTS %1$s;
+    CREATE VIEW %1$s %5$s AS SELECT %2$s
+    FROM %3$s;
+    ALTER VIEW %1$s OWNER TO %4$s;
+    $c$,
+    rule.view_name,
+    pgsodium.decrypted_columns(relid),
+    source_name,
+    view_owner,
+    CASE WHEN rule.security_invoker THEN 'WITH (security_invoker=true)' ELSE '' END
+  );
+  IF debug THEN
+    RAISE NOTICE '%', body;
+  END IF;
+  EXECUTE body;
+
+  FOR priv IN SELECT * FROM pg_catalog.aclexplode(privs) LOOP
+	body = format(
+	  $c$
+	  GRANT %s ON %s TO %s;
+	  $c$,
+	  priv.privilege_type,
+	  rule.view_name,
+	  priv.grantee::regrole::text
+	);
+	IF debug THEN
+	  RAISE NOTICE '%', body;
+	END IF;
+	EXECUTE body;
+  END LOOP;
+
+  FOR m IN SELECT * FROM pgsodium.mask_columns where attrelid = relid LOOP
+	IF m.key_id IS NULL AND m.key_id_column is NULL THEN
+	  CONTINUE;
+	ELSE
+	  body = format(
+		$c$
+		DROP FUNCTION IF EXISTS %1$s."%2$s_encrypt_secret_%3$s"() CASCADE;
+
+		CREATE OR REPLACE FUNCTION %1$s."%2$s_encrypt_secret_%3$s"()
+		  RETURNS TRIGGER
+		  LANGUAGE plpgsql
+		  AS $t$
+		BEGIN
+		%4$s;
+		RETURN new;
+		END;
+		$t$;
+
+		ALTER FUNCTION  %1$s."%2$s_encrypt_secret_%3$s"() OWNER TO %5$s;
+
+		DROP TRIGGER IF EXISTS "%2$s_encrypt_secret_trigger_%3$s" ON %6$s;
+
+		CREATE TRIGGER "%2$s_encrypt_secret_trigger_%3$s"
+		  BEFORE INSERT OR UPDATE OF "%3$s" ON %6$s
+		  FOR EACH ROW
+		  EXECUTE FUNCTION %1$s."%2$s_encrypt_secret_%3$s" ();
+		  $c$,
+		rule.relnamespace,
+		rule.relname,
+		m.attname,
+		pgsodium.encrypted_column(relid, m),
+		view_owner,
+		source_name
+	  );
+	  if debug THEN
+		RAISE NOTICE '%', body;
+	  END IF;
+	  EXECUTE body;
+	END IF;
+  END LOOP;
+
+  raise notice 'about to masking role % %', source_name, rule.view_name;
+  PERFORM pgsodium.mask_role(oid::regrole, source_name, rule.view_name)
+  FROM pg_roles WHERE pgsodium.has_mask(oid::regrole, source_name);
+
+  RETURN;
+END
+  $$
+  LANGUAGE plpgsql
+  VOLATILE
+  SET search_path='pg_catalog'
+;

sql/pgsodium--3.1.7--3.1.8.sql

@@ -0,0 +1,34 @@
+
+CREATE OR REPLACE FUNCTION pgsodium.trg_mask_update()
+RETURNS EVENT_TRIGGER AS
+$$
+DECLARE
+  r record;
+BEGIN
+  IF (SELECT bool_or(in_extension) FROM pg_event_trigger_ddl_commands()) THEN
+    RAISE NOTICE 'skipping pgsodium mask regeneration in extension';
+	RETURN;
+  END IF;
+
+  FOR r IN
+    SELECT e.*
+    FROM pg_event_trigger_ddl_commands() e
+    WHERE EXISTS (
+      SELECT FROM pg_catalog.pg_class c
+      JOIN pg_catalog.pg_seclabel s ON s.classoid = c.tableoid
+                                   AND s.objoid = c.oid
+      WHERE c.tableoid = e.classid
+        AND e.objid = c.oid
+        AND s.provider = 'pgsodium'
+    )
+  LOOP
+    IF r.object_type in ('table', 'table column')
+    THEN
+      PERFORM pgsodium.update_mask(r.objid);
+    END IF;
+  END LOOP;
+END
+$$
+  LANGUAGE plpgsql
+  SET search_path=''
+;