sharpetronics/PostgreSQL
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-14 00:01:55 -04:00
Code Issues Projects Releases Wiki Activity

Removing the pg_tde_global enum

Browse Source 
As this causes issues with overload resolution, this commit instead
separates global and local key handling into differently named
functions. From now on, functions that deal with global keys have
"global" in the name.
This commit is contained in:
Zsolt Parragi 2025-02-11 19:48:07 +00:00 committed by Zsolt Parragi
parent 747d93f039
commit 0a451edbcc
17 changed files with 455 additions and 452 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ci_scripts/tde_setup_global.sql
View File

@ -1,6 +1,6 @@
CREATE EXTENSION IF NOT EXISTS pg_tde;
SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'reg_file-global', '/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_set_server_principal_key('global-principal-key', 'PG_TDE_GLOBAL', 'reg_file-global');
SELECT pg_tde_add_global_key_provider_file('reg_file-global', '/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_set_server_principal_key('global-principal-key', 'reg_file-global');
SELECT pg_tde_create_wal_key();
ALTER SYSTEM SET pg_tde.wal_encrypt = on;
ALTER SYSTEM SET default_table_access_method = 'tde_heap';

411
contrib/earthdistance/expected/earthdistance_1.out
View File

@ -963,13 +963,12 @@ SELECT abs(cube_distance(ll_to_earth(-30,-90), '(0)'::cube) / earth() - 1) <
--
-- list what's installed
\dT
List of data types
Schema | Name | Description
--------+---------------+---------------------------------------------------------------------------------------------
public | cube | multi-dimensional cube '(FLOAT-1, FLOAT-2, ..., FLOAT-N), (FLOAT-1, FLOAT-2, ..., FLOAT-N)'
public | earth |
public | pg_tde_global |
(3 rows)
List of data types
Schema | Name | Description
--------+-------+---------------------------------------------------------------------------------------------
public | cube | multi-dimensional cube '(FLOAT-1, FLOAT-2, ..., FLOAT-N), (FLOAT-1, FLOAT-2, ..., FLOAT-N)'
public | earth |
(2 rows)
drop extension cube; -- fail, earthdistance requires it
ERROR: cannot drop extension cube because other objects depend on it
@ -981,12 +980,11 @@ ERROR: cannot drop type cube because extension cube requires it
HINT: You can drop extension cube instead.
-- list what's installed
\dT
List of data types
Schema | Name | Description
--------+---------------+---------------------------------------------------------------------------------------------
public | cube | multi-dimensional cube '(FLOAT-1, FLOAT-2, ..., FLOAT-N), (FLOAT-1, FLOAT-2, ..., FLOAT-N)'
public | pg_tde_global |
(2 rows)
List of data types
Schema | Name | Description
--------+------+---------------------------------------------------------------------------------------------
public | cube | multi-dimensional cube '(FLOAT-1, FLOAT-2, ..., FLOAT-N), (FLOAT-1, FLOAT-2, ..., FLOAT-N)'
(1 row)
create table foo (f1 cube, f2 int);
drop extension cube; -- fail, foo.f1 requires it
@ -997,73 +995,72 @@ drop table foo;
drop extension cube;
-- list what's installed
\dT
List of data types
Schema | Name | Description
--------+---------------+-------------
public | pg_tde_global |
(1 row)
List of data types
Schema | Name | Description
--------+------+-------------
(0 rows)
\df
List of functions
Schema | Name | Result data type | Argument data types | Type
--------+-----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+------
public | pg_tde_add_key_provider | integer | pg_tde_global, provider_type character varying, provider_name character varying, options json | func
public | pg_tde_add_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_add_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path json | func
public | pg_tde_add_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path text | func
public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_add_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_add_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_add_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_add_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_change_key_provider | integer | pg_tde_global, provider_type character varying, provider_name character varying, options json | func
public | pg_tde_change_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_change_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path json | func
public | pg_tde_change_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path text | func
public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_change_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_change_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_change_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_change_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_create_wal_key | boolean | | func
public | pg_tde_ddl_command_end_capture | event_trigger | | func
public | pg_tde_ddl_command_start_capture | event_trigger | | func
public | pg_tde_delete_key_provider | void | pg_tde_global, provider_name character varying | func
public | pg_tde_delete_key_provider | void | provider_name character varying | func
public | pg_tde_extension_initialize | void | | func
public | pg_tde_grant_global_key_management_to_role | void | target_role text | func
public | pg_tde_grant_grant_management_to_role | void | target_role text | func
public | pg_tde_grant_key_viewer_to_role | void | target_role text | func
public | pg_tde_grant_local_key_management_to_role | void | target_role text | func
public | pg_tde_internal_has_key | boolean | oid oid | func
public | pg_tde_is_encrypted | boolean | table_name character varying | func
public | pg_tde_list_all_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func
public | pg_tde_list_all_key_providers | SETOF record | pg_tde_global, OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func
public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func
public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | pg_tde_global | func
public | pg_tde_revoke_global_key_management_from_role | void | target_role text | func
public | pg_tde_revoke_grant_management_from_role | void | target_role text | func
public | pg_tde_revoke_key_viewer_from_role | void | target_role text | func
public | pg_tde_revoke_local_key_management_from_role | void | target_role text | func
public | pg_tde_set_default_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_server_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_verify_global_principal_key | void | | func
public | pg_tde_verify_principal_key | void | | func
public | pg_tde_version | text | | func
public | pg_tdeam_basic_handler | table_am_handler | internal | func
public | pg_tdeam_handler | table_am_handler | internal | func
List of functions
Schema | Name | Result data type | Argument data types | Type
--------+-----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------+------
public | pg_tde_add_global_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_add_global_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_add_global_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_add_global_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_add_global_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_add_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_add_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_add_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_change_global_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_change_global_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_change_global_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_change_global_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_change_global_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_change_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_change_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_change_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_create_wal_key | boolean | | func
public | pg_tde_ddl_command_end_capture | event_trigger | | func
public | pg_tde_ddl_command_start_capture | event_trigger | | func
public | pg_tde_delete_global_key_provider | void | provider_name character varying | func
public | pg_tde_delete_key_provider | void | provider_name character varying | func
public | pg_tde_extension_initialize | void | | func
public | pg_tde_global_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func
public | pg_tde_grant_global_key_management_to_role | void | target_role text | func
public | pg_tde_grant_grant_management_to_role | void | target_role text | func
public | pg_tde_grant_key_viewer_to_role | void | target_role text | func
public | pg_tde_grant_local_key_management_to_role | void | target_role text | func
public | pg_tde_internal_has_key | boolean | oid oid | func
public | pg_tde_is_encrypted | boolean | table_name character varying | func
public | pg_tde_list_all_global_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func
public | pg_tde_list_all_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func
public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func
public | pg_tde_revoke_global_key_management_from_role | void | target_role text | func
public | pg_tde_revoke_grant_management_from_role | void | target_role text | func
public | pg_tde_revoke_key_viewer_from_role | void | target_role text | func
public | pg_tde_revoke_local_key_management_from_role | void | target_role text | func
public | pg_tde_set_default_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_global_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_server_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_verify_global_principal_key | void | | func
public | pg_tde_verify_principal_key | void | | func
public | pg_tde_version | text | | func
public | pg_tdeam_basic_handler | table_am_handler | internal | func
public | pg_tdeam_handler | table_am_handler | internal | func
(57 rows)
\do
@ -1076,73 +1073,72 @@ create schema c;
create extension cube with schema c;
-- list what's installed
\dT public.*
List of data types
Schema | Name | Description
--------+---------------+-------------
public | pg_tde_global |
(1 row)
List of data types
Schema | Name | Description
--------+------+-------------
(0 rows)
\df public.*
List of functions
Schema | Name | Result data type | Argument data types | Type
--------+-----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+------
public | pg_tde_add_key_provider | integer | pg_tde_global, provider_type character varying, provider_name character varying, options json | func
public | pg_tde_add_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_add_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path json | func
public | pg_tde_add_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path text | func
public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_add_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_add_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_add_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_add_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_change_key_provider | integer | pg_tde_global, provider_type character varying, provider_name character varying, options json | func
public | pg_tde_change_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_change_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path json | func
public | pg_tde_change_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path text | func
public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_change_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_change_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_change_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_change_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_create_wal_key | boolean | | func
public | pg_tde_ddl_command_end_capture | event_trigger | | func
public | pg_tde_ddl_command_start_capture | event_trigger | | func
public | pg_tde_delete_key_provider | void | pg_tde_global, provider_name character varying | func
public | pg_tde_delete_key_provider | void | provider_name character varying | func
public | pg_tde_extension_initialize | void | | func
public | pg_tde_grant_global_key_management_to_role | void | target_role text | func
public | pg_tde_grant_grant_management_to_role | void | target_role text | func
public | pg_tde_grant_key_viewer_to_role | void | target_role text | func
public | pg_tde_grant_local_key_management_to_role | void | target_role text | func
public | pg_tde_internal_has_key | boolean | oid oid | func
public | pg_tde_is_encrypted | boolean | table_name character varying | func
public | pg_tde_list_all_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func
public | pg_tde_list_all_key_providers | SETOF record | pg_tde_global, OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func
public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func
public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | pg_tde_global | func
public | pg_tde_revoke_global_key_management_from_role | void | target_role text | func
public | pg_tde_revoke_grant_management_from_role | void | target_role text | func
public | pg_tde_revoke_key_viewer_from_role | void | target_role text | func
public | pg_tde_revoke_local_key_management_from_role | void | target_role text | func
public | pg_tde_set_default_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_server_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_verify_global_principal_key | void | | func
public | pg_tde_verify_principal_key | void | | func
public | pg_tde_version | text | | func
public | pg_tdeam_basic_handler | table_am_handler | internal | func
public | pg_tdeam_handler | table_am_handler | internal | func
List of functions
Schema | Name | Result data type | Argument data types | Type
--------+-----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------+------
public | pg_tde_add_global_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_add_global_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_add_global_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_add_global_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_add_global_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_add_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_add_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_add_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_change_global_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_change_global_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_change_global_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_change_global_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_change_global_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_change_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_change_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_change_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_create_wal_key | boolean | | func
public | pg_tde_ddl_command_end_capture | event_trigger | | func
public | pg_tde_ddl_command_start_capture | event_trigger | | func
public | pg_tde_delete_global_key_provider | void | provider_name character varying | func
public | pg_tde_delete_key_provider | void | provider_name character varying | func
public | pg_tde_extension_initialize | void | | func
public | pg_tde_global_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func
public | pg_tde_grant_global_key_management_to_role | void | target_role text | func
public | pg_tde_grant_grant_management_to_role | void | target_role text | func
public | pg_tde_grant_key_viewer_to_role | void | target_role text | func
public | pg_tde_grant_local_key_management_to_role | void | target_role text | func
public | pg_tde_internal_has_key | boolean | oid oid | func
public | pg_tde_is_encrypted | boolean | table_name character varying | func
public | pg_tde_list_all_global_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func
public | pg_tde_list_all_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func
public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func
public | pg_tde_revoke_global_key_management_from_role | void | target_role text | func
public | pg_tde_revoke_grant_management_from_role | void | target_role text | func
public | pg_tde_revoke_key_viewer_from_role | void | target_role text | func
public | pg_tde_revoke_local_key_management_from_role | void | target_role text | func
public | pg_tde_set_default_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_global_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_server_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_verify_global_principal_key | void | | func
public | pg_tde_verify_principal_key | void | | func
public | pg_tde_version | text | | func
public | pg_tdeam_basic_handler | table_am_handler | internal | func
public | pg_tdeam_handler | table_am_handler | internal | func
(57 rows)
\do public.*
@ -1178,73 +1174,72 @@ NOTICE: drop cascades to column f1 of table foo
-- list what's installed
\dT public.*
List of data types
Schema | Name | Description
--------+---------------+-------------
public | pg_tde_global |
(1 row)
List of data types
Schema | Name | Description
--------+------+-------------
(0 rows)
\df public.*
List of functions
Schema | Name | Result data type | Argument data types | Type
--------+-----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+------
public | pg_tde_add_key_provider | integer | pg_tde_global, provider_type character varying, provider_name character varying, options json | func
public | pg_tde_add_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_add_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path json | func
public | pg_tde_add_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path text | func
public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_add_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_add_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_add_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_add_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_change_key_provider | integer | pg_tde_global, provider_type character varying, provider_name character varying, options json | func
public | pg_tde_change_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_change_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path json | func
public | pg_tde_change_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path text | func
public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_change_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_change_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_change_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_change_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_create_wal_key | boolean | | func
public | pg_tde_ddl_command_end_capture | event_trigger | | func
public | pg_tde_ddl_command_start_capture | event_trigger | | func
public | pg_tde_delete_key_provider | void | pg_tde_global, provider_name character varying | func
public | pg_tde_delete_key_provider | void | provider_name character varying | func
public | pg_tde_extension_initialize | void | | func
public | pg_tde_grant_global_key_management_to_role | void | target_role text | func
public | pg_tde_grant_grant_management_to_role | void | target_role text | func
public | pg_tde_grant_key_viewer_to_role | void | target_role text | func
public | pg_tde_grant_local_key_management_to_role | void | target_role text | func
public | pg_tde_internal_has_key | boolean | oid oid | func
public | pg_tde_is_encrypted | boolean | table_name character varying | func
public | pg_tde_list_all_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func
public | pg_tde_list_all_key_providers | SETOF record | pg_tde_global, OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func
public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func
public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | pg_tde_global | func
public | pg_tde_revoke_global_key_management_from_role | void | target_role text | func
public | pg_tde_revoke_grant_management_from_role | void | target_role text | func
public | pg_tde_revoke_key_viewer_from_role | void | target_role text | func
public | pg_tde_revoke_local_key_management_from_role | void | target_role text | func
public | pg_tde_set_default_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_server_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_verify_global_principal_key | void | | func
public | pg_tde_verify_principal_key | void | | func
public | pg_tde_version | text | | func
public | pg_tdeam_basic_handler | table_am_handler | internal | func
public | pg_tdeam_handler | table_am_handler | internal | func
List of functions
Schema | Name | Result data type | Argument data types | Type
--------+-----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------+------
public | pg_tde_add_global_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_add_global_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_add_global_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_add_global_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_add_global_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_add_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_add_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_add_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_change_global_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_change_global_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_change_global_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_change_global_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_change_global_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_change_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_change_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_change_key_provider | integer | provider_type character varying, provider_name character varying, options json | func
public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path json | func
public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path text | func
public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func
public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func
public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func
public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func
public | pg_tde_create_wal_key | boolean | | func
public | pg_tde_ddl_command_end_capture | event_trigger | | func
public | pg_tde_ddl_command_start_capture | event_trigger | | func
public | pg_tde_delete_global_key_provider | void | provider_name character varying | func
public | pg_tde_delete_key_provider | void | provider_name character varying | func
public | pg_tde_extension_initialize | void | | func
public | pg_tde_global_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func
public | pg_tde_grant_global_key_management_to_role | void | target_role text | func
public | pg_tde_grant_grant_management_to_role | void | target_role text | func
public | pg_tde_grant_key_viewer_to_role | void | target_role text | func
public | pg_tde_grant_local_key_management_to_role | void | target_role text | func
public | pg_tde_internal_has_key | boolean | oid oid | func
public | pg_tde_is_encrypted | boolean | table_name character varying | func
public | pg_tde_list_all_global_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func
public | pg_tde_list_all_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func
public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func
public | pg_tde_revoke_global_key_management_from_role | void | target_role text | func
public | pg_tde_revoke_grant_management_from_role | void | target_role text | func
public | pg_tde_revoke_key_viewer_from_role | void | target_role text | func
public | pg_tde_revoke_local_key_management_from_role | void | target_role text | func
public | pg_tde_set_default_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_global_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_set_server_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func
public | pg_tde_verify_global_principal_key | void | | func
public | pg_tde_verify_principal_key | void | | func
public | pg_tde_version | text | | func
public | pg_tdeam_basic_handler | table_am_handler | internal | func
public | pg_tdeam_handler | table_am_handler | internal | func
(57 rows)
\do public.*

16
contrib/pg_tde/expected/default_principal_key.out
View File

@ -1,20 +1,20 @@
CREATE EXTENSION IF NOT EXISTS pg_tde;
SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-provider','/tmp/pg_tde_regression_default_principal_key.per');
pg_tde_add_key_provider_file
------------------------------
-4
SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_regression_default_principal_key.per');
pg_tde_add_global_key_provider_file
-------------------------------------
-4
(1 row)
SELECT pg_tde_set_default_principal_key('default-principal-key', 'PG_TDE_GLOBAL', 'file-provider', false);
SELECT pg_tde_set_default_principal_key('default-principal-key', 'file-provider', false);
pg_tde_set_default_principal_key
----------------------------------
t
(1 row)
-- fails
SELECT pg_tde_delete_key_provider('PG_TDE_GLOBAL', 'file-provider');
SELECT pg_tde_delete_global_key_provider('file-provider');
ERROR: Can't delete a provider which is currently in use
SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL');
SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
id | provider_name
----+---------------
-2 | file-keyring2
@ -67,7 +67,7 @@ SELECT key_provider_id, key_provider_name, principal_key_name
(1 row)
\c regression_pg_tde
SELECT pg_tde_set_default_principal_key('new-default-principal-key', 'PG_TDE_GLOBAL', 'file-provider', false);
SELECT pg_tde_set_default_principal_key('new-default-principal-key', 'file-provider', false);
WARNING: you don't own a lock of type AccessExclusiveLock
pg_tde_set_default_principal_key
----------------------------------

42
contrib/pg_tde/expected/key_provider.out
View File

@ -80,19 +80,19 @@ SELECT * FROM pg_tde_list_all_key_providers();
2 | file-provider2 | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring2.per"}
(2 rows)
SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring','/tmp/pg_tde_test_keyring.per');
pg_tde_add_key_provider_file
------------------------------
-1
SELECT pg_tde_add_global_key_provider_file('file-keyring','/tmp/pg_tde_test_keyring.per');
pg_tde_add_global_key_provider_file
-------------------------------------
-1
(1 row)
SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring2','/tmp/pg_tde_test_keyring2.per');
pg_tde_add_key_provider_file
------------------------------
-2
SELECT pg_tde_add_global_key_provider_file('file-keyring2','/tmp/pg_tde_test_keyring2.per');
pg_tde_add_global_key_provider_file
-------------------------------------
-2
(1 row)
SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL');
SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
id | provider_name
----+---------------
-1 | file-keyring
@ -123,40 +123,40 @@ SELECT id, provider_name FROM pg_tde_list_all_key_providers();
1 | file-provider
(1 row)
SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL');
SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
id | provider_name
----+---------------
-1 | file-keyring
-2 | file-keyring2
(2 rows)
SELECT pg_tde_set_principal_key('test-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring', false);
pg_tde_set_principal_key
--------------------------
SELECT pg_tde_set_global_principal_key('test-db-principal-key', 'file-keyring', false);
pg_tde_set_global_principal_key
---------------------------------
t
(1 row)
-- fails
SELECT pg_tde_delete_key_provider('PG_TDE_GLOBAL', 'file-keyring');
pg_tde_delete_key_provider
----------------------------
SELECT pg_tde_delete_global_key_provider('file-keyring');
pg_tde_delete_global_key_provider
-----------------------------------
(1 row)
SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL');
SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
id | provider_name
----+---------------
-2 | file-keyring2
(1 row)
-- works
SELECT pg_tde_delete_key_provider('PG_TDE_GLOBAL', 'file-keyring2');
pg_tde_delete_key_provider
----------------------------
SELECT pg_tde_delete_global_key_provider('file-keyring2');
pg_tde_delete_global_key_provider
-----------------------------------
(1 row)
SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL');
SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
id | provider_name
----+---------------
-2 | file-keyring2

12
contrib/pg_tde/expected/wal_key.out
View File

@ -4,20 +4,20 @@
CREATE EXTENSION IF NOT EXISTS pg_tde;
SELECT pg_tde_create_wal_key();
ERROR: failed to retrieve principal key. Create one using pg_tde_set_principal_key before using encrypted tables.
SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring','/tmp/pg_tde_test_keyring.per');
pg_tde_add_key_provider_file
------------------------------
-3
SELECT pg_tde_add_global_key_provider_file('file-keyring','/tmp/pg_tde_test_keyring.per');
pg_tde_add_global_key_provider_file
-------------------------------------
-3
(1 row)
SELECT pg_tde_create_wal_key();
ERROR: failed to retrieve principal key. Create one using pg_tde_set_principal_key before using encrypted tables.
-- db local principal key with global provider
SELECT pg_tde_set_principal_key('test-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring', true);
SELECT pg_tde_set_global_principal_key('test-db-principal-key', 'file-keyring', true);
ERROR: failed to create principal key: already exists
SELECT pg_tde_create_wal_key();
ERROR: failed to retrieve principal key. Create one using pg_tde_set_principal_key before using encrypted tables.
SELECT pg_tde_set_server_principal_key('test-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring');
SELECT pg_tde_set_server_principal_key('test-db-principal-key', 'file-keyring');
pg_tde_set_server_principal_key
---------------------------------
t

234
contrib/pg_tde/pg_tde--1.0-beta2.sql
View File

@ -3,8 +3,6 @@
-- complain if script is sourced in psql, rather than via CREATE EXTENSION
\echo Use "CREATE EXTENSION pg_tde" to load this file. \quit
CREATE type PG_TDE_GLOBAL AS ENUM('PG_TDE_GLOBAL');
-- Key Provider Management
CREATE FUNCTION pg_tde_add_key_provider(provider_type VARCHAR(10), provider_name VARCHAR(128), options JSON)
RETURNS INT
@ -103,7 +101,7 @@ BEGIN ATOMIC
'certPath' VALUE kmip_cert_path));
END;
CREATE FUNCTION pg_tde_set_default_principal_key(principal_key_name VARCHAR(255), PG_TDE_GLOBAL, provider_name VARCHAR(255) DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE)
CREATE FUNCTION pg_tde_set_default_principal_key(principal_key_name VARCHAR(255), provider_name VARCHAR(255) DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE)
RETURNS boolean
AS 'MODULE_PATHNAME'
LANGUAGE C;
@ -117,8 +115,8 @@ RETURNS SETOF record
LANGUAGE C STRICT
AS 'MODULE_PATHNAME';
CREATE FUNCTION pg_tde_list_all_key_providers
(PG_TDE_GLOBAL, OUT id INT,
CREATE FUNCTION pg_tde_list_all_global_key_providers
(OUT id INT,
OUT provider_name VARCHAR(128),
OUT provider_type VARCHAR(10),
OUT options JSON)
@ -127,43 +125,42 @@ LANGUAGE C STRICT
AS 'MODULE_PATHNAME';
-- Global Tablespace Key Provider Management
CREATE FUNCTION pg_tde_add_key_provider(PG_TDE_GLOBAL, provider_type VARCHAR(10), provider_name VARCHAR(128), options JSON)
CREATE FUNCTION pg_tde_add_global_key_provider(provider_type VARCHAR(10), provider_name VARCHAR(128), options JSON)
RETURNS INT
LANGUAGE C
AS 'MODULE_PATHNAME', 'pg_tde_add_key_provider_global';
AS 'MODULE_PATHNAME';
CREATE FUNCTION pg_tde_add_key_provider_file(PG_TDE_GLOBAL, provider_name VARCHAR(128), file_path TEXT)
CREATE FUNCTION pg_tde_add_global_key_provider_file(provider_name VARCHAR(128), file_path TEXT)
RETURNS INT
LANGUAGE SQL
BEGIN ATOMIC
-- JSON keys in the options must be matched to the keys in
-- load_file_keyring_provider_options function.
SELECT pg_tde_add_key_provider('PG_TDE_GLOBAL', 'file', provider_name,
SELECT pg_tde_add_global_key_provider('file', provider_name,
json_object('type' VALUE 'file', 'path' VALUE COALESCE(file_path, '')));
END;
CREATE FUNCTION pg_tde_add_key_provider_file(PG_TDE_GLOBAL, provider_name VARCHAR(128), file_path JSON)
CREATE FUNCTION pg_tde_add_global_key_provider_file(provider_name VARCHAR(128), file_path JSON)
RETURNS INT
LANGUAGE SQL
BEGIN ATOMIC
-- JSON keys in the options must be matched to the keys in
-- load_file_keyring_provider_options function.
SELECT pg_tde_add_key_provider('PG_TDE_GLOBAL', 'file', provider_name,
SELECT pg_tde_add_global_key_provider('file', provider_name,
json_object('type' VALUE 'file', 'path' VALUE file_path));
END;
CREATE FUNCTION pg_tde_add_key_provider_vault_v2(PG_TDE_GLOBAL,
provider_name VARCHAR(128),
vault_token TEXT,
vault_url TEXT,
vault_mount_path TEXT,
vault_ca_path TEXT)
CREATE FUNCTION pg_tde_add_global_key_provider_vault_v2(provider_name VARCHAR(128),
vault_token TEXT,
vault_url TEXT,
vault_mount_path TEXT,
vault_ca_path TEXT)
RETURNS INT
LANGUAGE SQL
BEGIN ATOMIC
-- JSON keys in the options must be matched to the keys in
-- load_vaultV2_keyring_provider_options function.
SELECT pg_tde_add_key_provider('PG_TDE_GLOBAL', 'vault-v2', provider_name,
SELECT pg_tde_add_global_key_provider('vault-v2', provider_name,
json_object('type' VALUE 'vault-v2',
'url' VALUE COALESCE(vault_url, ''),
'token' VALUE COALESCE(vault_token, ''),
@ -171,18 +168,17 @@ BEGIN ATOMIC
'caPath' VALUE COALESCE(vault_ca_path, '')));
END;
CREATE FUNCTION pg_tde_add_key_provider_vault_v2(PG_TDE_GLOBAL,
provider_name VARCHAR(128),
vault_token JSON,
vault_url JSON,
vault_mount_path JSON,
vault_ca_path JSON)
CREATE FUNCTION pg_tde_add_global_key_provider_vault_v2(provider_name VARCHAR(128),
vault_token JSON,
vault_url JSON,
vault_mount_path JSON,
vault_ca_path JSON)
RETURNS INT
LANGUAGE SQL
BEGIN ATOMIC
-- JSON keys in the options must be matched to the keys in
-- load_vaultV2_keyring_provider_options function.
SELECT pg_tde_add_key_provider('PG_TDE_GLOBAL', 'vault-v2', provider_name,
SELECT pg_tde_add_global_key_provider('vault-v2', provider_name,
json_object('type' VALUE 'vault-v2',
'url' VALUE vault_url,
'token' VALUE vault_token,
@ -190,18 +186,17 @@ BEGIN ATOMIC
'caPath' VALUE vault_ca_path));
END;
CREATE FUNCTION pg_tde_add_key_provider_kmip(PG_TDE_GLOBAL,
provider_name VARCHAR(128),
kmip_host TEXT,
kmip_port INT,
kmip_ca_path TEXT,
kmip_cert_path TEXT)
CREATE FUNCTION pg_tde_add_global_key_provider_kmip(provider_name VARCHAR(128),
kmip_host TEXT,
kmip_port INT,
kmip_ca_path TEXT,
kmip_cert_path TEXT)
RETURNS INT
LANGUAGE SQL
BEGIN ATOMIC
-- JSON keys in the options must be matched to the keys in
-- load_kmip_keyring_provider_options function.
SELECT pg_tde_add_key_provider('PG_TDE_GLOBAL', 'kmip', provider_name,
SELECT pg_tde_add_global_key_provider('kmip', provider_name,
json_object('type' VALUE 'kmip',
'host' VALUE COALESCE(kmip_host, ''),
'port' VALUE kmip_port,
@ -209,18 +204,17 @@ BEGIN ATOMIC
'certPath' VALUE COALESCE(kmip_cert_path, '')));
END;
CREATE FUNCTION pg_tde_add_key_provider_kmip(PG_TDE_GLOBAL,
provider_name VARCHAR(128),
kmip_host JSON,
kmip_port JSON,
kmip_ca_path JSON,
kmip_cert_path JSON)
CREATE FUNCTION pg_tde_add_global_key_provider_kmip(provider_name VARCHAR(128),
kmip_host JSON,
kmip_port JSON,
kmip_ca_path JSON,
kmip_cert_path JSON)
RETURNS INT
LANGUAGE SQL
BEGIN ATOMIC
-- JSON keys in the options must be matched to the keys in
-- load_kmip_keyring_provider_options function.
SELECT pg_tde_add_key_provider('PG_TDE_GLOBAL', 'vault-v2', provider_name,
SELECT pg_tde_add_global_key_provider('vault-v2', provider_name,
json_object('type' VALUE 'vault-v2',
'host' VALUE kmip_host,
'port' VALUE kmip_port,
@ -327,43 +321,42 @@ BEGIN ATOMIC
END;
-- Global Tablespace Key Provider Management
CREATE FUNCTION pg_tde_change_key_provider(PG_TDE_GLOBAL, provider_type VARCHAR(10), provider_name VARCHAR(128), options JSON)
CREATE FUNCTION pg_tde_change_global_key_provider(provider_type VARCHAR(10), provider_name VARCHAR(128), options JSON)
RETURNS INT
LANGUAGE C
AS 'MODULE_PATHNAME', 'pg_tde_change_key_provider_global';
AS 'MODULE_PATHNAME';
CREATE FUNCTION pg_tde_change_key_provider_file(PG_TDE_GLOBAL, provider_name VARCHAR(128), file_path TEXT)
CREATE FUNCTION pg_tde_change_global_key_provider_file(provider_name VARCHAR(128), file_path TEXT)
RETURNS INT
LANGUAGE SQL
BEGIN ATOMIC
-- JSON keys in the options must be matched to the keys in
-- load_file_keyring_provider_options function.
SELECT pg_tde_change_key_provider('PG_TDE_GLOBAL', 'file', provider_name,
SELECT pg_tde_change_global_key_provider('file', provider_name,
json_object('type' VALUE 'file', 'path' VALUE COALESCE(file_path, '')));
END;
CREATE FUNCTION pg_tde_change_key_provider_file(PG_TDE_GLOBAL, provider_name VARCHAR(128), file_path JSON)
CREATE FUNCTION pg_tde_change_global_key_provider_file(provider_name VARCHAR(128), file_path JSON)
RETURNS INT
LANGUAGE SQL
BEGIN ATOMIC
-- JSON keys in the options must be matched to the keys in
-- load_file_keyring_provider_options function.
SELECT pg_tde_change_key_provider('PG_TDE_GLOBAL', 'file', provider_name,
SELECT pg_tde_change_global_key_provider('file', provider_name,
json_object('type' VALUE 'file', 'path' VALUE file_path));
END;
CREATE FUNCTION pg_tde_change_key_provider_vault_v2(PG_TDE_GLOBAL,
provider_name VARCHAR(128),
vault_token TEXT,
vault_url TEXT,
vault_mount_path TEXT,
vault_ca_path TEXT)
CREATE FUNCTION pg_tde_change_global_key_provider_vault_v2(provider_name VARCHAR(128),
vault_token TEXT,
vault_url TEXT,
vault_mount_path TEXT,
vault_ca_path TEXT)
RETURNS INT
LANGUAGE SQL
BEGIN ATOMIC
-- JSON keys in the options must be matched to the keys in
-- load_vaultV2_keyring_provider_options function.
SELECT pg_tde_change_key_provider('PG_TDE_GLOBAL', 'vault-v2', provider_name,
SELECT pg_tde_change_global_key_provider('vault-v2', provider_name,
json_object('type' VALUE 'vault-v2',
'url' VALUE COALESCE(vault_url, ''),
'token' VALUE COALESCE(vault_token, ''),
@ -371,18 +364,17 @@ BEGIN ATOMIC
'caPath' VALUE COALESCE(vault_ca_path, '')));
END;
CREATE FUNCTION pg_tde_change_key_provider_vault_v2(PG_TDE_GLOBAL,
provider_name VARCHAR(128),
vault_token JSON,
vault_url JSON,
vault_mount_path JSON,
vault_ca_path JSON)
CREATE FUNCTION pg_tde_change_global_key_provider_vault_v2(provider_name VARCHAR(128),
vault_token JSON,
vault_url JSON,
vault_mount_path JSON,
vault_ca_path JSON)
RETURNS INT
LANGUAGE SQL
BEGIN ATOMIC
-- JSON keys in the options must be matched to the keys in
-- load_vaultV2_keyring_provider_options function.
SELECT pg_tde_change_key_provider('PG_TDE_GLOBAL', 'vault-v2', provider_name,
SELECT pg_tde_change_global_key_provider('vault-v2', provider_name,
json_object('type' VALUE 'vault-v2',
'url' VALUE vault_url,
'token' VALUE vault_token,
@ -390,18 +382,17 @@ BEGIN ATOMIC
'caPath' VALUE vault_ca_path));
END;
CREATE FUNCTION pg_tde_change_key_provider_kmip(PG_TDE_GLOBAL,
provider_name VARCHAR(128),
kmip_host TEXT,
kmip_port INT,
kmip_ca_path TEXT,
kmip_cert_path TEXT)
CREATE FUNCTION pg_tde_change_global_key_provider_kmip(provider_name VARCHAR(128),
kmip_host TEXT,
kmip_port INT,
kmip_ca_path TEXT,
kmip_cert_path TEXT)
RETURNS INT
LANGUAGE SQL
BEGIN ATOMIC
-- JSON keys in the options must be matched to the keys in
-- load_kmip_keyring_provider_options function.
SELECT pg_tde_change_key_provider('PG_TDE_GLOBAL', 'kmip', provider_name,
SELECT pg_tde_change_global_key_provider('kmip', provider_name,
json_object('type' VALUE 'kmip',
'host' VALUE COALESCE(kmip_host, ''),
'port' VALUE kmip_port,
@ -409,18 +400,17 @@ BEGIN ATOMIC
'certPath' VALUE COALESCE(kmip_cert_path, '')));
END;
CREATE FUNCTION pg_tde_change_key_provider_kmip(PG_TDE_GLOBAL,
provider_name VARCHAR(128),
kmip_host JSON,
kmip_port JSON,
kmip_ca_path JSON,
kmip_cert_path JSON)
CREATE FUNCTION pg_tde_change_global_key_provider_kmip(provider_name VARCHAR(128),
kmip_host JSON,
kmip_port JSON,
kmip_ca_path JSON,
kmip_cert_path JSON)
RETURNS INT
LANGUAGE SQL
BEGIN ATOMIC
-- JSON keys in the options must be matched to the keys in
-- load_kmip_keyring_provider_options function.
SELECT pg_tde_change_key_provider('PG_TDE_GLOBAL', 'vault-v2', provider_name,
SELECT pg_tde_change_global_key_provider('vault-v2', provider_name,
json_object('type' VALUE 'vault-v2',
'host' VALUE kmip_host,
'port' VALUE kmip_port,
@ -458,15 +448,15 @@ RETURNS boolean
LANGUAGE C
AS 'MODULE_PATHNAME';
CREATE FUNCTION pg_tde_set_principal_key(principal_key_name VARCHAR(255), PG_TDE_GLOBAL, provider_name VARCHAR(255) DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE)
CREATE FUNCTION pg_tde_set_global_principal_key(principal_key_name VARCHAR(255), provider_name VARCHAR(255) DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE)
RETURNS boolean
LANGUAGE C
AS 'MODULE_PATHNAME', 'pg_tde_set_principal_key_global';
AS 'MODULE_PATHNAME';
CREATE FUNCTION pg_tde_set_server_principal_key(principal_key_name VARCHAR(255), PG_TDE_GLOBAL, provider_name VARCHAR(255) DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE)
CREATE FUNCTION pg_tde_set_server_principal_key(principal_key_name VARCHAR(255), provider_name VARCHAR(255) DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE)
RETURNS boolean
LANGUAGE C
AS 'MODULE_PATHNAME', 'pg_tde_set_principal_key_server';
AS 'MODULE_PATHNAME';
CREATE FUNCTION pg_tde_create_wal_key()
RETURNS boolean
@ -496,18 +486,18 @@ RETURNS TABLE ( principal_key_name text,
LANGUAGE C
AS 'MODULE_PATHNAME';
CREATE FUNCTION pg_tde_principal_key_info(PG_TDE_GLOBAL)
CREATE FUNCTION pg_tde_global_principal_key_info()
RETURNS TABLE ( principal_key_name text,
key_provider_name text,
key_provider_name text,
key_provider_id integer,
key_createion_time timestamp with time zone)
LANGUAGE C
AS 'MODULE_PATHNAME', 'pg_tde_principal_key_info_global';
AS 'MODULE_PATHNAME';
CREATE FUNCTION pg_tde_delete_key_provider(PG_TDE_GLOBAL, provider_name VARCHAR)
CREATE FUNCTION pg_tde_delete_global_key_provider(provider_name VARCHAR)
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME', 'pg_tde_delete_key_provider_global';
AS 'MODULE_PATHNAME';
CREATE FUNCTION pg_tde_delete_key_provider(provider_name VARCHAR)
RETURNS VOID
@ -564,30 +554,30 @@ LANGUAGE plpgsql
SET search_path = @extschema@
AS $$
BEGIN
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider(pg_tde_global, varchar, varchar, JSON) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider(varchar, varchar, JSON) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_file(pg_tde_global, varchar, json) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_file(pg_tde_global, varchar, text) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_vault_v2(pg_tde_global, varchar, text, text, text, text) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_vault_v2(pg_tde_global, varchar, JSON, JSON, JSON, JSON) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_kmip(pg_tde_global, varchar, text, int, text, text) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_kmip(pg_tde_global, varchar, JSON, JSON, JSON, JSON) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider_file(varchar, json) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider_file(varchar, text) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider_vault_v2(varchar, text, text, text, text) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider_vault_v2(varchar, JSON, JSON, JSON, JSON) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider_kmip(varchar, text, int, text, text) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider_kmip(varchar, JSON, JSON, JSON, JSON) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider(pg_tde_global, varchar, varchar, JSON) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider(varchar, varchar, JSON) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_file(pg_tde_global, varchar, json) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_file(pg_tde_global, varchar, text) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_vault_v2(pg_tde_global, varchar, text, text, text, text) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_vault_v2(pg_tde_global, varchar, JSON, JSON, JSON, JSON) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_kmip(pg_tde_global, varchar, text, int, text, text) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_kmip(pg_tde_global, varchar, JSON, JSON, JSON, JSON) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider_file(varchar, json) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider_file(varchar, text) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider_vault_v2(varchar, text, text, text, text) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider_vault_v2(varchar, JSON, JSON, JSON, JSON) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider_kmip(varchar, text, int, text, text) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider_kmip(varchar, JSON, JSON, JSON, JSON) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_delete_key_provider(pg_tde_global, varchar) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_delete_global_key_provider(varchar) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_principal_key(varchar, pg_tde_global, varchar, BOOLEAN) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_server_principal_key(varchar, pg_tde_global, varchar, BOOLEAN) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_global_principal_key(varchar, varchar, BOOLEAN) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_server_principal_key(varchar, varchar, BOOLEAN) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_default_principal_key(varchar, pg_tde_global, varchar, BOOLEAN) FROM %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_default_principal_key(varchar, varchar, BOOLEAN) FROM %I', target_role);
END;
$$;
@ -630,11 +620,11 @@ SET search_path = @extschema@
AS $$
BEGIN
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_list_all_key_providers(OUT INT, OUT varchar, OUT varchar, OUT JSON) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_list_all_key_providers(pg_tde_global, OUT INT, OUT varchar, OUT varchar, OUT JSON) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_list_all_global_key_providers(OUT INT, OUT varchar, OUT varchar, OUT JSON) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_is_encrypted(VARCHAR) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_principal_key_info() TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_principal_key_info(pg_tde_global) TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_global_principal_key_info() TO %I', target_role);
END;
$$;
@ -645,30 +635,30 @@ LANGUAGE plpgsql
SET search_path = @extschema@
AS $$
BEGIN
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider(pg_tde_global, varchar, varchar, JSON) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_global_key_provider(varchar, varchar, JSON) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_file(pg_tde_global, varchar, json) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_file(pg_tde_global, varchar, text) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_vault_v2(pg_tde_global, varchar, text, text, text, text) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_vault_v2(pg_tde_global, varchar, JSON, JSON, JSON, JSON) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_kmip(pg_tde_global, varchar, text, int, text, text) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_kmip(pg_tde_global, varchar, JSON, JSON, JSON, JSON) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_global_key_provider_file(varchar, json) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_global_key_provider_file(varchar, text) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_global_key_provider_vault_v2(varchar, text, text, text, text) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_global_key_provider_vault_v2(varchar, JSON, JSON, JSON, JSON) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_global_key_provider_kmip(varchar, text, int, text, text) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_global_key_provider_kmip(varchar, JSON, JSON, JSON, JSON) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider(pg_tde_global, varchar, varchar, JSON) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_global_key_provider(varchar, varchar, JSON) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_file(pg_tde_global, varchar, json) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_file(pg_tde_global, varchar, text) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_vault_v2(pg_tde_global, varchar, text, text, text, text) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_vault_v2(pg_tde_global, varchar, JSON, JSON, JSON, JSON) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_kmip(pg_tde_global, varchar, text, int, text, text) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_kmip(pg_tde_global, varchar, JSON, JSON, JSON, JSON) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_global_key_provider_file(varchar, json) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_global_key_provider_file(varchar, text) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_global_key_provider_vault_v2(varchar, text, text, text, text) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_global_key_provider_vault_v2(varchar, JSON, JSON, JSON, JSON) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_global_key_provider_kmip(varchar, text, int, text, text) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_global_key_provider_kmip(varchar, JSON, JSON, JSON, JSON) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_delete_key_provider(pg_tde_global, varchar) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_delete_global_key_provider(varchar) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_principal_key(varchar, pg_tde_global, varchar, BOOLEAN) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_server_principal_key(varchar, pg_tde_global, varchar, BOOLEAN) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_global_principal_key(varchar, varchar, BOOLEAN) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_server_principal_key(varchar, varchar, BOOLEAN) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_default_principal_key(varchar, pg_tde_global, varchar, BOOLEAN) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_default_principal_key(varchar, varchar, BOOLEAN) FROM %I', target_role);
END;
$$;
@ -711,11 +701,11 @@ SET search_path = @extschema@
AS $$
BEGIN
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_list_all_key_providers(OUT INT, OUT varchar, OUT varchar, OUT JSON) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_list_all_key_providers(pg_tde_global, OUT INT, OUT varchar, OUT varchar, OUT JSON) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_list_all_global_key_providers(OUT INT, OUT varchar, OUT varchar, OUT JSON) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_is_encrypted(VARCHAR) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_principal_key_info() FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_principal_key_info(pg_tde_global) FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_global_principal_key_info() FROM %I', target_role);
END;
$$;

10
contrib/pg_tde/sql/default_principal_key.sql
View File

@ -1,12 +1,12 @@
CREATE EXTENSION IF NOT EXISTS pg_tde;
SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-provider','/tmp/pg_tde_regression_default_principal_key.per');
SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_regression_default_principal_key.per');
SELECT pg_tde_set_default_principal_key('default-principal-key', 'PG_TDE_GLOBAL', 'file-provider', false);
SELECT pg_tde_set_default_principal_key('default-principal-key', 'file-provider', false);
-- fails
SELECT pg_tde_delete_key_provider('PG_TDE_GLOBAL', 'file-provider');
SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL');
SELECT pg_tde_delete_global_key_provider('file-provider');
SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
-- Should fail: no principal key for the database yet
SELECT key_provider_id, key_provider_name, principal_key_name
@ -50,7 +50,7 @@ SELECT key_provider_id, key_provider_name, principal_key_name
\c regression_pg_tde
SELECT pg_tde_set_default_principal_key('new-default-principal-key', 'PG_TDE_GLOBAL', 'file-provider', false);
SELECT pg_tde_set_default_principal_key('new-default-principal-key', 'file-provider', false);
SELECT key_provider_id, key_provider_name, principal_key_name
FROM pg_tde_principal_key_info();

18
contrib/pg_tde/sql/key_provider.sql
View File

@ -24,11 +24,11 @@ SELECT pg_tde_verify_principal_key();
SELECT pg_tde_change_key_provider_file('file-provider', json_object('foo' VALUE '/tmp/pg_tde_test_keyring.per'));
SELECT * FROM pg_tde_list_all_key_providers();
SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring','/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_add_global_key_provider_file('file-keyring','/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring2','/tmp/pg_tde_test_keyring2.per');
SELECT pg_tde_add_global_key_provider_file('file-keyring2','/tmp/pg_tde_test_keyring2.per');
SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL');
SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
-- TODO: verify that we can also can change the type of it
@ -40,16 +40,16 @@ SELECT id, provider_name FROM pg_tde_list_all_key_providers();
SELECT pg_tde_delete_key_provider('file-provider2');
SELECT id, provider_name FROM pg_tde_list_all_key_providers();
SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL');
SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
SELECT pg_tde_set_principal_key('test-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring', false);
SELECT pg_tde_set_global_principal_key('test-db-principal-key', 'file-keyring', false);
-- fails
SELECT pg_tde_delete_key_provider('PG_TDE_GLOBAL', 'file-keyring');
SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL');
SELECT pg_tde_delete_global_key_provider('file-keyring');
SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
-- works
SELECT pg_tde_delete_key_provider('PG_TDE_GLOBAL', 'file-keyring2');
SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL');
SELECT pg_tde_delete_global_key_provider('file-keyring2');
SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
DROP EXTENSION pg_tde;

6
contrib/pg_tde/sql/wal_key.sql
View File

@ -5,16 +5,16 @@ CREATE EXTENSION IF NOT EXISTS pg_tde;
SELECT pg_tde_create_wal_key();
SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring','/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_add_global_key_provider_file('file-keyring','/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_create_wal_key();
-- db local principal key with global provider
SELECT pg_tde_set_principal_key('test-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring', true);
SELECT pg_tde_set_global_principal_key('test-db-principal-key', 'file-keyring', true);
SELECT pg_tde_create_wal_key();
SELECT pg_tde_set_server_principal_key('test-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring');
SELECT pg_tde_set_server_principal_key('test-db-principal-key', 'file-keyring');
-- and now it should work!
SELECT pg_tde_create_wal_key();

66
contrib/pg_tde/src/catalog/tde_keyring.c
View File

@ -75,21 +75,26 @@ static List *scan_key_provider_file(ProviderScanType scanType, void *scanKey, Oi
PG_FUNCTION_INFO_V1(pg_tde_add_key_provider);
Datum pg_tde_add_key_provider(PG_FUNCTION_ARGS);
PG_FUNCTION_INFO_V1(pg_tde_add_key_provider_global);
Datum pg_tde_add_key_provider_global(PG_FUNCTION_ARGS);
PG_FUNCTION_INFO_V1(pg_tde_add_global_key_provider);
Datum pg_tde_add_global_key_provider(PG_FUNCTION_ARGS);
PG_FUNCTION_INFO_V1(pg_tde_change_key_provider);
Datum pg_tde_change_key_provider(PG_FUNCTION_ARGS);
PG_FUNCTION_INFO_V1(pg_tde_change_key_provider_global);
Datum pg_tde_change_key_provider_global(PG_FUNCTION_ARGS);
PG_FUNCTION_INFO_V1(pg_tde_change_global_key_provider);
Datum pg_tde_change_global_key_provider(PG_FUNCTION_ARGS);
static Datum pg_tde_list_all_key_providers_internal(const char *fname, bool global, PG_FUNCTION_ARGS);
PG_FUNCTION_INFO_V1(pg_tde_list_all_key_providers);
Datum pg_tde_list_all_key_providers(PG_FUNCTION_ARGS);
static Datum pg_tde_change_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid, int shift);
PG_FUNCTION_INFO_V1(pg_tde_list_all_global_key_providers);
Datum pg_tde_list_all_global_key_providers(PG_FUNCTION_ARGS);
static Datum pg_tde_add_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid, int shift);
static Datum pg_tde_change_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid);
static Datum pg_tde_add_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid);
#define PG_TDE_LIST_PROVIDERS_COLS 4
@ -197,21 +202,21 @@ cleanup_key_provider_info(Oid databaseId)
Datum
pg_tde_change_key_provider(PG_FUNCTION_ARGS)
{
return pg_tde_change_key_provider_internal(fcinfo, MyDatabaseId, 0);
return pg_tde_change_key_provider_internal(fcinfo, MyDatabaseId);
}
Datum
pg_tde_change_key_provider_global(PG_FUNCTION_ARGS)
pg_tde_change_global_key_provider(PG_FUNCTION_ARGS)
{
return pg_tde_change_key_provider_internal(fcinfo, GLOBAL_DATA_TDE_OID, 1);
return pg_tde_change_key_provider_internal(fcinfo, GLOBAL_DATA_TDE_OID);
}
static Datum
pg_tde_change_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid, int shift)
pg_tde_change_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid)
{
char *provider_type = text_to_cstring(PG_GETARG_TEXT_PP(0 + shift));
char *provider_name = text_to_cstring(PG_GETARG_TEXT_PP(1 + shift));
char *options = text_to_cstring(PG_GETARG_TEXT_PP(2 + shift));
char *provider_type = text_to_cstring(PG_GETARG_TEXT_PP(0));
char *provider_name = text_to_cstring(PG_GETARG_TEXT_PP(1));
char *options = text_to_cstring(PG_GETARG_TEXT_PP(2));
KeyringProvideRecord provider;
/* reports error if not found */
@ -231,21 +236,21 @@ pg_tde_change_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid, int shift)
Datum
pg_tde_add_key_provider(PG_FUNCTION_ARGS)
{
return pg_tde_add_key_provider_internal(fcinfo, MyDatabaseId, 0);
return pg_tde_add_key_provider_internal(fcinfo, MyDatabaseId);
}
Datum
pg_tde_add_key_provider_global(PG_FUNCTION_ARGS)
pg_tde_add_global_key_provider(PG_FUNCTION_ARGS)
{
return pg_tde_add_key_provider_internal(fcinfo, GLOBAL_DATA_TDE_OID, 1);
return pg_tde_add_key_provider_internal(fcinfo, GLOBAL_DATA_TDE_OID);
}
Datum
pg_tde_add_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid, int shift)
pg_tde_add_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid)
{
char *provider_type = text_to_cstring(PG_GETARG_TEXT_PP(0 + shift));
char *provider_name = text_to_cstring(PG_GETARG_TEXT_PP(1 + shift));
char *options = text_to_cstring(PG_GETARG_TEXT_PP(2 + shift));
char *provider_type = text_to_cstring(PG_GETARG_TEXT_PP(0));
char *provider_name = text_to_cstring(PG_GETARG_TEXT_PP(1));
char *options = text_to_cstring(PG_GETARG_TEXT_PP(2));
KeyringProvideRecord provider;
provider.provider_id = 0;
@ -260,7 +265,20 @@ pg_tde_add_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid, int shift)
Datum
pg_tde_list_all_key_providers(PG_FUNCTION_ARGS)
{
List *all_providers = GetAllKeyringProviders(PG_NARGS() == 1 ? GLOBAL_DATA_TDE_OID : MyDatabaseId);
return pg_tde_list_all_key_providers_internal("pg_tde_list_all_key_providers", false, fcinfo);
}
Datum
pg_tde_list_all_global_key_providers(PG_FUNCTION_ARGS)
{
return pg_tde_list_all_key_providers_internal("pg_tde_list_all_key_providers_global", true, fcinfo);
}
static Datum
pg_tde_list_all_key_providers_internal(const char *fname, bool global, PG_FUNCTION_ARGS)
{
Oid database = (global ? GLOBAL_DATA_TDE_OID : MyDatabaseId);
List *all_providers = GetAllKeyringProviders(database);
ListCell *lc;
Tuplestorestate *tupstore;
TupleDesc tupdesc;
@ -272,11 +290,11 @@ pg_tde_list_all_key_providers(PG_FUNCTION_ARGS)
if (rsinfo == NULL || !IsA(rsinfo, ReturnSetInfo))
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("pg_tde_list_all_key_providers: set-valued function called in context that cannot accept a set")));
errmsg("%s: set-valued function called in context that cannot accept a set", fname)));
if (!(rsinfo->allowedModes & SFRM_Materialize))
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("pg_tde_list_all_key_providers: materialize mode required, but it is not allowed in this context")));
errmsg("%s: materialize mode required, but it is not allowed in this context", fname)));
/* Switch into long-lived context to construct returned data structures */
per_query_ctx = rsinfo->econtext->ecxt_per_query_memory;
@ -284,7 +302,7 @@ pg_tde_list_all_key_providers(PG_FUNCTION_ARGS)
/* Build a tuple descriptor for our result type */
if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE)
elog(ERROR, "pg_tde_list_all_key_providers: return type must be a row type");
elog(ERROR, "%s: return type must be a row type", fname);
tupstore = tuplestore_begin_heap(true, false, work_mem);
rsinfo->returnMode = SFRM_Materialize;

30
contrib/pg_tde/src/catalog/tde_principal_key.c
View File

@ -47,7 +47,7 @@
#ifndef FRONTEND
PG_FUNCTION_INFO_V1(pg_tde_delete_key_provider);
PG_FUNCTION_INFO_V1(pg_tde_delete_key_provider_global);
PG_FUNCTION_INFO_V1(pg_tde_delete_global_key_provider);
PG_FUNCTION_INFO_V1(pg_tde_verify_principal_key);
PG_FUNCTION_INFO_V1(pg_tde_verify_global_principal_key);
@ -109,10 +109,10 @@ Datum pg_tde_set_default_principal_key(PG_FUNCTION_ARGS);
PG_FUNCTION_INFO_V1(pg_tde_set_principal_key);
Datum pg_tde_set_principal_key(PG_FUNCTION_ARGS);
PG_FUNCTION_INFO_V1(pg_tde_set_principal_key_global);
PG_FUNCTION_INFO_V1(pg_tde_set_global_principal_key);
Datum pg_tde_set_principal_key(PG_FUNCTION_ARGS);
PG_FUNCTION_INFO_V1(pg_tde_set_principal_key_server);
PG_FUNCTION_INFO_V1(pg_tde_set_server_principal_key);
Datum pg_tde_set_principal_key(PG_FUNCTION_ARGS);
enum global_status
@ -565,8 +565,8 @@ Datum
pg_tde_set_default_principal_key(PG_FUNCTION_ARGS)
{
char *principal_key_name = text_to_cstring(PG_GETARG_TEXT_PP(0));
char *provider_name = PG_ARGISNULL(2) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(2));
bool ensure_new_key = PG_GETARG_BOOL(3);
char *provider_name = PG_ARGISNULL(1) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(1));
bool ensure_new_key = PG_GETARG_BOOL(2);
return pg_tde_set_principal_key_internal(principal_key_name, GS_DEFAULT, provider_name, ensure_new_key);
}
@ -582,21 +582,21 @@ pg_tde_set_principal_key(PG_FUNCTION_ARGS)
}
Datum
pg_tde_set_principal_key_global(PG_FUNCTION_ARGS)
pg_tde_set_global_principal_key(PG_FUNCTION_ARGS)
{
char *principal_key_name = text_to_cstring(PG_GETARG_TEXT_PP(0));
char *provider_name = PG_ARGISNULL(2) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(2));
bool ensure_new_key = PG_GETARG_BOOL(3);
char *provider_name = PG_ARGISNULL(1) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(1));
bool ensure_new_key = PG_GETARG_BOOL(2);
return pg_tde_set_principal_key_internal(principal_key_name, GS_GLOBAL, provider_name, ensure_new_key);
}
Datum
pg_tde_set_principal_key_server(PG_FUNCTION_ARGS)
pg_tde_set_server_principal_key(PG_FUNCTION_ARGS)
{
char *principal_key_name = text_to_cstring(PG_GETARG_TEXT_PP(0));
char *provider_name = PG_ARGISNULL(2) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(2));
bool ensure_new_key = PG_GETARG_BOOL(3);
char *provider_name = PG_ARGISNULL(1) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(1));
bool ensure_new_key = PG_GETARG_BOOL(2);
return pg_tde_set_principal_key_internal(principal_key_name, GS_SERVER, provider_name, ensure_new_key);
}
@ -679,9 +679,9 @@ pg_tde_principal_key_info(PG_FUNCTION_ARGS)
return pg_tde_get_key_info(fcinfo, MyDatabaseId);
}
PG_FUNCTION_INFO_V1(pg_tde_principal_key_info_global);
PG_FUNCTION_INFO_V1(pg_tde_global_principal_key_info);
Datum
pg_tde_principal_key_info_global(PG_FUNCTION_ARGS)
pg_tde_global_principal_key_info(PG_FUNCTION_ARGS)
{
return pg_tde_get_key_info(fcinfo, GLOBAL_DATA_TDE_OID);
}
@ -1090,7 +1090,7 @@ pg_tde_delete_key_provider(PG_FUNCTION_ARGS)
}
Datum
pg_tde_delete_key_provider_global(PG_FUNCTION_ARGS)
pg_tde_delete_global_key_provider(PG_FUNCTION_ARGS)
{
return pg_tde_delete_key_provider_internal(fcinfo, 1);
}
@ -1098,7 +1098,7 @@ pg_tde_delete_key_provider_global(PG_FUNCTION_ARGS)
Datum
pg_tde_delete_key_provider_internal(PG_FUNCTION_ARGS, int is_global)
{
char *provider_name = text_to_cstring(PG_GETARG_TEXT_PP(0 + is_global));
char *provider_name = text_to_cstring(PG_GETARG_TEXT_PP(0));
Oid db_oid = (is_global == 1) ? GLOBAL_DATA_TDE_OID : MyDatabaseId;
GenericKeyring *provider = GetKeyProviderByName(provider_name, db_oid);
int provider_id;

22
contrib/pg_tde/t/002_rotate_key.pl
View File

@ -46,9 +46,9 @@ $stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('fil
PGTDE::append_to_file($stdout);
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('file-2','/tmp/pg_tde_test_keyring_2.per');", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-2','/tmp/pg_tde_test_keyring_2g.per');", extra_params => ['-a']);
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-2','/tmp/pg_tde_test_keyring_2g.per');", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-3','/tmp/pg_tde_test_keyring_3.per');", extra_params => ['-a']);
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-3','/tmp/pg_tde_test_keyring_3.per');", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_list_all_key_providers();", extra_params => ['-a']);
@ -79,7 +79,7 @@ $rt_value = $node->start();
$stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');", extra_params => ['-a']);
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
PGTDE::append_to_file($stderr);
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']);
@ -99,14 +99,14 @@ $rt_value = $node->start();
$stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');", extra_params => ['-a']);
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
PGTDE::append_to_file($stderr);
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']);
PGTDE::append_to_file($stdout);
#Again rotate key
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_principal_key('rotated-principal-key', 'PG_TDE_GLOBAL', 'file-3', false);", extra_params => ['-a']);
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_global_principal_key('rotated-principal-key', 'file-3', false);", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']);
PGTDE::append_to_file($stdout);
@ -118,7 +118,7 @@ $rt_value = $node->start();
$stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');", extra_params => ['-a']);
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
PGTDE::append_to_file($stderr);
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']);
@ -128,7 +128,7 @@ PGTDE::append_to_file($stdout);
# And maybe debug tools to show what's in a file keyring?
#Again rotate key
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_principal_key('rotated-principal-keyX', 'PG_TDE_GLOBAL', 'file-2', false);", extra_params => ['-a']);
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_global_principal_key('rotated-principal-keyX', 'file-2', false);", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']);
PGTDE::append_to_file($stdout);
@ -140,7 +140,7 @@ $rt_value = $node->start();
$stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');", extra_params => ['-a']);
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
PGTDE::append_to_file($stderr);
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']);
@ -156,11 +156,11 @@ $rt_value = $node->stop();
$rt_value = $node->start();
# But now can't be changed to another global provider
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT pg_tde_set_principal_key('rotated-principal-keyX2', 'PG_TDE_GLOBAL', 'file-2', false);", extra_params => ['-a']);
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT pg_tde_set_global_principal_key('rotated-principal-keyX2', 'file-2', false);", extra_params => ['-a']);
PGTDE::append_to_file($stderr);
$stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');", extra_params => ['-a']);
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
PGTDE::append_to_file($stderr);
@ -168,7 +168,7 @@ $stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_principal_key('rotated
PGTDE::append_to_file($stdout);
$stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');", extra_params => ['-a']);
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
PGTDE::append_to_file($stderr);

4
contrib/pg_tde/t/010_wal_encrypt.pl
View File

@ -29,10 +29,10 @@ ok($rt_value == 1, "Start Server");
my $stdout = $node->safe_psql('postgres', "CREATE EXTENSION IF NOT EXISTS pg_tde;", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring-010','/tmp/pg_tde_test_keyring010.per');", extra_params => ['-a']);
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-keyring-010','/tmp/pg_tde_test_keyring010.per');", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring-010');", extra_params => ['-a']);
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'file-keyring-010');", extra_params => ['-a']);
PGTDE::append_to_file($stdout);
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_create_wal_key();", extra_params => ['-a']);

20
contrib/pg_tde/t/expected/002_rotate_key.out
View File

@ -4,9 +4,9 @@ SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per')
1
SELECT pg_tde_add_key_provider_file('file-2','/tmp/pg_tde_test_keyring_2.per');
2
SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-2','/tmp/pg_tde_test_keyring_2g.per');
SELECT pg_tde_add_global_key_provider_file('file-2','/tmp/pg_tde_test_keyring_2g.per');
-1
SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-3','/tmp/pg_tde_test_keyring_3.per');
SELECT pg_tde_add_global_key_provider_file('file-3','/tmp/pg_tde_test_keyring_3.per');
-2
SELECT pg_tde_list_all_key_providers();
(1,file-vault,file,"{""type"" : ""file"", ""path"" : ""/tmp/pg_tde_test_keyring.per""}")
@ -25,7 +25,7 @@ SELECT * FROM test_enc ORDER BY id ASC;
-- server restart
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();
1|file-vault|rotated-principal-key1
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();
psql:<stdin>:1: ERROR: Principal key does not exists for the database
HINT: Use set_principal_key interface to set the principal key
SELECT * FROM test_enc ORDER BY id ASC;
@ -39,13 +39,13 @@ SELECT * FROM test_enc ORDER BY id ASC;
-- server restart
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();
2|file-2|rotated-principal-key2
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();
psql:<stdin>:1: ERROR: Principal key does not exists for the database
HINT: Use set_principal_key interface to set the principal key
SELECT * FROM test_enc ORDER BY id ASC;
1|5
2|6
SELECT pg_tde_set_principal_key('rotated-principal-key', 'PG_TDE_GLOBAL', 'file-3', false);
SELECT pg_tde_set_global_principal_key('rotated-principal-key', 'file-3', false);
t
SELECT * FROM test_enc ORDER BY id ASC;
1|5
@ -53,13 +53,13 @@ SELECT * FROM test_enc ORDER BY id ASC;
-- server restart
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();
-2|file-3|rotated-principal-key
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();
psql:<stdin>:1: ERROR: Principal key does not exists for the database
HINT: Use set_principal_key interface to set the principal key
SELECT * FROM test_enc ORDER BY id ASC;
1|5
2|6
SELECT pg_tde_set_principal_key('rotated-principal-keyX', 'PG_TDE_GLOBAL', 'file-2', false);
SELECT pg_tde_set_global_principal_key('rotated-principal-keyX', 'file-2', false);
t
SELECT * FROM test_enc ORDER BY id ASC;
1|5
@ -67,7 +67,7 @@ SELECT * FROM test_enc ORDER BY id ASC;
-- server restart
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();
-1|file-2|rotated-principal-keyX
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();
psql:<stdin>:1: ERROR: Principal key does not exists for the database
HINT: Use set_principal_key interface to set the principal key
SELECT * FROM test_enc ORDER BY id ASC;
@ -78,14 +78,14 @@ ALTER SYSTEM SET pg_tde.inherit_global_providers = OFF;
psql:<stdin>:1: ERROR: Usage of global key providers is disabled. Enable it with pg_tde.inherit_global_providers = ON
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();
-1|file-2|rotated-principal-keyX
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();
psql:<stdin>:1: ERROR: Principal key does not exists for the database
HINT: Use set_principal_key interface to set the principal key
SELECT pg_tde_set_principal_key('rotated-principal-key2','file-2');
t
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();
2|file-2|rotated-principal-key2
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();
psql:<stdin>:1: ERROR: Principal key does not exists for the database
HINT: Use set_principal_key interface to set the principal key
DROP TABLE test_enc;

4
contrib/pg_tde/t/expected/010_wal_encrypt.out
View File

@ -1,7 +1,7 @@
CREATE EXTENSION IF NOT EXISTS pg_tde;
SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring-010','/tmp/pg_tde_test_keyring010.per');
SELECT pg_tde_add_global_key_provider_file('file-keyring-010','/tmp/pg_tde_test_keyring010.per');
-1
SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring-010');
SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'file-keyring-010');
t
SELECT pg_tde_create_wal_key();
t

4
src/bin/pg_waldump/t/003_basic_encrypted.pl
View File

@ -27,8 +27,8 @@ shared_preload_libraries = 'pg_tde'
$node->start;
$node->safe_psql('postgres', "CREATE EXTENSION IF NOT EXISTS pg_tde;");
$node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring-wal','/tmp/pg_tde_test_keyring-wal.per');");;
$node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring-wal');");
$node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-keyring-wal','/tmp/pg_tde_test_keyring-wal.per');");;
$node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'file-keyring-wal');");
$node->safe_psql('postgres', "SELECT pg_tde_create_wal_key();");
$node->append_conf(

4
src/bin/pg_waldump/t/004_save_fullpage_encrypted.pl
View File

@ -41,8 +41,8 @@ shared_preload_libraries = 'pg_tde'
$node->start;
$node->safe_psql('postgres', "CREATE EXTENSION IF NOT EXISTS pg_tde;");
$node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring-wal','/tmp/pg_tde_test_keyring-wal.per');");;
$node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring-wal');");
$node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-keyring-wal','/tmp/pg_tde_test_keyring-wal.per');");;
$node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'file-keyring-wal');");
$node->safe_psql('postgres', "SELECT pg_tde_create_wal_key();");
$node->append_conf(