fix: pgsodium extension custom script (#454)

Author: soedirgo

ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql

@@ -1,4 +1,3 @@
 grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, bytea) to service_role;
 grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role;
 grant execute on function pgsodium.crypto_aead_det_keygen to service_role;
-grant execute on function pgsodium.crypto_aead_det_noncegen to service_role;

ansible/tasks/internal/supautils.yml

@@ -49,11 +49,17 @@
 
 - name: supautils - copy extension custom scripts
   copy:
-    src: files/postgresql_extension_custom_scripts
+    src: files/postgresql_extension_custom_scripts/
     dest: /etc/postgresql-custom/extension-custom-scripts
-    mode: 0664
+  become: yes
+
+- name: supautils - chown extension custom scripts
+  file:
+    mode: 0775
     owner: postgres
     group: postgres
+    path: /etc/postgresql-custom/extension-custom-scripts
+    recurse: yes
   become: yes
 
 - name: supautils - include /etc/postgresql-custom/supautils.conf in postgresql.conf

common.vars.pkr.hcl

@@ -1 +1 @@
-postgres-version = "15.1.0.17-rc1"
+postgres-version = "15.1.0.17-rc2"

ebssurrogate/files/unit-tests/unit-test-01.sql

@@ -1,5 +1,5 @@
 BEGIN;
-SELECT plan(9);
+SELECT plan(8);
 
 -- Check installed extensions
 SELECT extensions_are(
@@ -26,7 +26,6 @@ SELECT has_schema('public');
 SELECT function_privs_are('pgsodium', 'crypto_aead_det_decrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
 SELECT function_privs_are('pgsodium', 'crypto_aead_det_encrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
 SELECT function_privs_are('pgsodium', 'crypto_aead_det_keygen', array[]::text[], 'service_role', array['EXECUTE']);
-SELECT function_privs_are('pgsodium', 'crypto_aead_det_noncegen', array[]::text[], 'service_role', array['EXECUTE']);
 
 SELECT * from finish();
 ROLLBACK;

migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql

@@ -6,6 +6,10 @@ grant pgsodium_keyiduser to postgres with admin option;
 grant pgsodium_keyholder to postgres with admin option;
 grant pgsodium_keymaker  to postgres with admin option;
 
+grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, bytea) to service_role;
+grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role;
+grant execute on function pgsodium.crypto_aead_det_keygen to service_role;
+
 -- create extension if not exists supabase_vault;
 
 -- migrate:down

migrations/tests/database/privs.sql

@@ -3,7 +3,6 @@ SELECT database_privs_are(
     'postgres', 'postgres', ARRAY['CONNECT', 'TEMPORARY', 'CREATE']
 );
 
--- SELECT function_privs_are('pgsodium', 'crypto_aead_det_decrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
--- SELECT function_privs_are('pgsodium', 'crypto_aead_det_encrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
--- SELECT function_privs_are('pgsodium', 'crypto_aead_det_keygen', array[]::text[], 'service_role', array['EXECUTE']);
--- SELECT function_privs_are('pgsodium', 'crypto_aead_det_noncegen', array[]::text[], 'service_role', array['EXECUTE']);
+SELECT function_privs_are('pgsodium', 'crypto_aead_det_decrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
+SELECT function_privs_are('pgsodium', 'crypto_aead_det_encrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
+SELECT function_privs_are('pgsodium', 'crypto_aead_det_keygen', array[]::text[], 'service_role', array['EXECUTE']);

migrations/tests/test.sql

@@ -2,7 +2,7 @@ CREATE EXTENSION IF NOT EXISTS pgtap;
 
 BEGIN;
 
-SELECT plan(10);
+SELECT plan(13);
 
 \ir fixtures.sql
 \ir database/test.sql