From e4aab63fadaa4e6300bbdfb37667dcda1a2f8ccf Mon Sep 17 00:00:00 2001
From: Bobbie Soedirgo <bobbie@soedirgo.dev>
Date: Thu, 21 Nov 2024 16:59:29 +0800
Subject: [PATCH] fix: change perms to not rely on pgsodium_keyiduser

---
 Makefile                             |  2 +-
 sql/supabase_vault--0.2.8--0.3.0.sql | 15 +++++++++++++--
 sql/supabase_vault--0.3.0.sql        | 14 ++++++++++----
 test/fixtures.sql                    | 17 +++++++----------
 4 files changed, 31 insertions(+), 17 deletions(-)

diff --git a/Makefile b/Makefile
index 70c79ee..af0ef00 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 PG_CFLAGS = -std=c99 -Werror -Wno-declaration-after-statement
 EXTENSION = supabase_vault
-EXTVERSION = 0.2.8
+EXTVERSION = 0.3.0
 
 DATA = $(wildcard sql/*--*.sql)
 
diff --git a/sql/supabase_vault--0.2.8--0.3.0.sql b/sql/supabase_vault--0.2.8--0.3.0.sql
index 541531e..5e4837a 100644
--- a/sql/supabase_vault--0.2.8--0.3.0.sql
+++ b/sql/supabase_vault--0.2.8--0.3.0.sql
@@ -68,8 +68,6 @@ SELECT s.id,
   s.updated_at
 FROM vault.secrets s;
 
-GRANT ALL ON vault.decrypted_secrets TO pgsodium_keyiduser;
-
 CREATE OR REPLACE FUNCTION vault.create_secret(
   new_secret text,
   new_name text = NULL,
@@ -78,6 +76,7 @@ CREATE OR REPLACE FUNCTION vault.create_secret(
   new_key_id uuid = NULL
 )
 RETURNS uuid
+SECURITY DEFINER
 LANGUAGE plpgsql
 SET search_path = ''
 AS $$
@@ -113,6 +112,7 @@ CREATE OR REPLACE FUNCTION vault.update_secret(
   new_key_id uuid = NULL
 )
 RETURNS void
+SECURITY DEFINER
 LANGUAGE plpgsql
 SET search_path = ''
 AS $$
@@ -135,3 +135,14 @@ BEGIN
   WHERE s.id = secret_id;
 END
 $$;
+
+REVOKE ALL ON SCHEMA vault FROM pgsodium_keyiduser;
+REVOKE ALL ON vault.decrypted_secrets, vault.secrets FROM pgsodium_keyiduser;
+
+REVOKE ALL ON FUNCTION
+  vault._crypto_aead_det_encrypt,
+  vault._crypto_aead_det_decrypt,
+  vault._crypto_aead_det_noncegen,
+  vault.create_secret,
+  vault.update_secret
+FROM PUBLIC;
diff --git a/sql/supabase_vault--0.3.0.sql b/sql/supabase_vault--0.3.0.sql
index af6abe2..b0e5998 100644
--- a/sql/supabase_vault--0.3.0.sql
+++ b/sql/supabase_vault--0.3.0.sql
@@ -50,10 +50,6 @@ SELECT s.id,
   s.updated_at
 FROM vault.secrets s;
 
-GRANT ALL ON SCHEMA vault TO pgsodium_keyiduser;
-GRANT ALL ON TABLE vault.secrets TO pgsodium_keyiduser;
-GRANT ALL ON vault.decrypted_secrets TO pgsodium_keyiduser;
-
 CREATE OR REPLACE FUNCTION vault.create_secret(
   new_secret text,
   new_name text = NULL,
@@ -62,6 +58,7 @@ CREATE OR REPLACE FUNCTION vault.create_secret(
   new_key_id uuid = NULL
 )
 RETURNS uuid
+SECURITY DEFINER
 LANGUAGE plpgsql
 SET search_path = ''
 AS $$
@@ -97,6 +94,7 @@ CREATE OR REPLACE FUNCTION vault.update_secret(
   new_key_id uuid = NULL
 )
 RETURNS void
+SECURITY DEFINER
 LANGUAGE plpgsql
 SET search_path = ''
 AS $$
@@ -120,4 +118,12 @@ BEGIN
 END
 $$;
 
+REVOKE ALL ON FUNCTION
+  vault._crypto_aead_det_encrypt,
+  vault._crypto_aead_det_decrypt,
+  vault._crypto_aead_det_noncegen,
+  vault.create_secret,
+  vault.update_secret
+FROM PUBLIC;
+
 SELECT pg_catalog.pg_extension_config_dump('vault.secrets', '');
diff --git a/test/fixtures.sql b/test/fixtures.sql
index b323d22..d4c00c8 100644
--- a/test/fixtures.sql
+++ b/test/fixtures.sql
@@ -1,15 +1,12 @@
 CREATE ROLE bob login password 'bob';
 
-CREATE ROLE pgsodium_keyiduser WITH
-   NOLOGIN
-   NOSUPERUSER
-   NOCREATEDB
-   NOCREATEROLE
-   INHERIT
-   NOREPLICATION
-   CONNECTION LIMIT -1;
-
 CREATE EXTENSION IF NOT EXISTS pgtap;
 CREATE EXTENSION supabase_vault CASCADE;
 
-GRANT pgsodium_keyiduser TO bob;
+GRANT USAGE ON SCHEMA vault TO bob WITH GRANT OPTION;
+GRANT SELECT ON vault.secrets, vault.decrypted_secrets TO bob WITH GRANT OPTION;
+GRANT EXECUTE ON FUNCTION
+  vault.create_secret,
+  vault.update_secret,
+  vault._crypto_aead_det_decrypt
+TO bob WITH GRANT OPTION;