Skip to content

Commit

Permalink
fix: change perms to not rely on pgsodium_keyiduser
Browse files Browse the repository at this point in the history
  • Loading branch information
soedirgo committed Nov 21, 2024
1 parent 2b0c0e6 commit e4aab63
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 17 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
PG_CFLAGS = -std=c99 -Werror -Wno-declaration-after-statement
EXTENSION = supabase_vault
EXTVERSION = 0.2.8
EXTVERSION = 0.3.0

DATA = $(wildcard sql/*--*.sql)

Expand Down
15 changes: 13 additions & 2 deletions sql/supabase_vault--0.2.8--0.3.0.sql
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,6 @@ SELECT s.id,
s.updated_at
FROM vault.secrets s;

GRANT ALL ON vault.decrypted_secrets TO pgsodium_keyiduser;

CREATE OR REPLACE FUNCTION vault.create_secret(
new_secret text,
new_name text = NULL,
Expand All @@ -78,6 +76,7 @@ CREATE OR REPLACE FUNCTION vault.create_secret(
new_key_id uuid = NULL
)
RETURNS uuid
SECURITY DEFINER
LANGUAGE plpgsql
SET search_path = ''
AS $$
Expand Down Expand Up @@ -113,6 +112,7 @@ CREATE OR REPLACE FUNCTION vault.update_secret(
new_key_id uuid = NULL
)
RETURNS void
SECURITY DEFINER
LANGUAGE plpgsql
SET search_path = ''
AS $$
Expand All @@ -135,3 +135,14 @@ BEGIN
WHERE s.id = secret_id;
END
$$;

REVOKE ALL ON SCHEMA vault FROM pgsodium_keyiduser;
REVOKE ALL ON vault.decrypted_secrets, vault.secrets FROM pgsodium_keyiduser;

REVOKE ALL ON FUNCTION
vault._crypto_aead_det_encrypt,
vault._crypto_aead_det_decrypt,
vault._crypto_aead_det_noncegen,
vault.create_secret,
vault.update_secret
FROM PUBLIC;
14 changes: 10 additions & 4 deletions sql/supabase_vault--0.3.0.sql
Original file line number Diff line number Diff line change
Expand Up @@ -50,10 +50,6 @@ SELECT s.id,
s.updated_at
FROM vault.secrets s;

GRANT ALL ON SCHEMA vault TO pgsodium_keyiduser;
GRANT ALL ON TABLE vault.secrets TO pgsodium_keyiduser;
GRANT ALL ON vault.decrypted_secrets TO pgsodium_keyiduser;

CREATE OR REPLACE FUNCTION vault.create_secret(
new_secret text,
new_name text = NULL,
Expand All @@ -62,6 +58,7 @@ CREATE OR REPLACE FUNCTION vault.create_secret(
new_key_id uuid = NULL
)
RETURNS uuid
SECURITY DEFINER
LANGUAGE plpgsql
SET search_path = ''
AS $$
Expand Down Expand Up @@ -97,6 +94,7 @@ CREATE OR REPLACE FUNCTION vault.update_secret(
new_key_id uuid = NULL
)
RETURNS void
SECURITY DEFINER
LANGUAGE plpgsql
SET search_path = ''
AS $$
Expand All @@ -120,4 +118,12 @@ BEGIN
END
$$;

REVOKE ALL ON FUNCTION
vault._crypto_aead_det_encrypt,
vault._crypto_aead_det_decrypt,
vault._crypto_aead_det_noncegen,
vault.create_secret,
vault.update_secret
FROM PUBLIC;

SELECT pg_catalog.pg_extension_config_dump('vault.secrets', '');
17 changes: 7 additions & 10 deletions test/fixtures.sql
Original file line number Diff line number Diff line change
@@ -1,15 +1,12 @@
CREATE ROLE bob login password 'bob';

CREATE ROLE pgsodium_keyiduser WITH
NOLOGIN
NOSUPERUSER
NOCREATEDB
NOCREATEROLE
INHERIT
NOREPLICATION
CONNECTION LIMIT -1;

CREATE EXTENSION IF NOT EXISTS pgtap;
CREATE EXTENSION supabase_vault CASCADE;

GRANT pgsodium_keyiduser TO bob;
GRANT USAGE ON SCHEMA vault TO bob WITH GRANT OPTION;
GRANT SELECT ON vault.secrets, vault.decrypted_secrets TO bob WITH GRANT OPTION;
GRANT EXECUTE ON FUNCTION
vault.create_secret,
vault.update_secret,
vault._crypto_aead_det_decrypt
TO bob WITH GRANT OPTION;

0 comments on commit e4aab63

Please sign in to comment.