open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

PG-1458 Add default key info/verify funcions

Browse Source
pull/209/head
Artem Gavrilov 5 months ago committed by Artem Gavrilov
parent 9823fb75a2
commit c8dd16849f
6 changed files with 110 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 24
      contrib/pg_tde/documentation/docs/functions.md
  2. 21
      contrib/pg_tde/expected/default_principal_key.out
  3. 21
      contrib/pg_tde/expected/default_principal_key_1.out
  4. 19
      contrib/pg_tde/pg_tde--1.0-rc.sql
  5. 11
      contrib/pg_tde/sql/default_principal_key.sql
  6. 14
      contrib/pg_tde/src/catalog/tde_principal_key.c

24
contrib/pg_tde/documentation/docs/functions.md
Unescape View File

@ -298,6 +298,14 @@ Displays information about the principal key for the server scope, if exists.
SELECT pg_tde_server_key_info()
```
### pg_tde_default_key_info
Displays the information about the default principal key, if it exists.
```
SELECT pg_tde_default_key_info()
```
### pg_tde_verify_key
This function checks that the current database has a properly functional encryption setup, which means:
@ -329,3 +337,19 @@ If any of the above checks fail, the function reports an error.
```
SELECT pg_tde_verify_server_key()
```
### pg_tde_verify_default_key
This function checks that the default key is properly configured, which means:
* A key provider is configured
* The key provider is accessible using the specified configuration
* There is a principal key that can be used for any scope
* The principal key can be retrieved from the remote key provider
* The principal key returned from the key provider is the same as cached in the server memory
If any of the above checks fail, the function reports an error.
```
SELECT pg_tde_verify_default_key()
```

21
contrib/pg_tde/expected/default_principal_key.out
Unescape View File

@ -6,12 +6,33 @@ SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_regressi
-3
(1 row)
-- Should fail: no default principal key for the server yet
SELECT pg_tde_verify_default_key();
ERROR: principal key not configured for current database
-- Should fail: no default principal key for the server yet
SELECT key_provider_id, key_provider_name, key_name
FROM pg_tde_default_key_info();
ERROR: Principal key does not exists for the database
HINT: Use set_key interface to set the principal key
SELECT pg_tde_set_default_key_using_global_key_provider('default-key', 'file-provider', false);
pg_tde_set_default_key_using_global_key_provider
--------------------------------------------------
(1 row)
SELECT pg_tde_verify_default_key();
pg_tde_verify_default_key
---------------------------
(1 row)
SELECT key_provider_id, key_provider_name, key_name
FROM pg_tde_default_key_info();
key_provider_id | key_provider_name | key_name
-----------------+-------------------+-------------
-3 | file-provider | default-key
(1 row)
-- fails
SELECT pg_tde_delete_global_key_provider('file-provider');
ERROR: Can't delete a provider which is currently in use

21
contrib/pg_tde/expected/default_principal_key_1.out
Unescape View File

@ -6,12 +6,33 @@ SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_regressi
-4
(1 row)
-- Should fail: no default principal key for the server yet
SELECT pg_tde_verify_default_key();
ERROR: principal key not configured for current database
-- Should fail: no default principal key for the server yet
SELECT key_provider_id, key_provider_name, key_name
FROM pg_tde_default_key_info();
ERROR: Principal key does not exists for the database
HINT: Use set_key interface to set the principal key
SELECT pg_tde_set_default_key_using_global_key_provider('default-key', 'file-provider', false);
pg_tde_set_default_key_using_global_key_provider
--------------------------------------------------
(1 row)
SELECT pg_tde_verify_default_key();
pg_tde_verify_default_key
---------------------------
(1 row)
SELECT key_provider_id, key_provider_name, key_name
FROM pg_tde_default_key_info();
key_provider_id | key_provider_name | key_name
-----------------+-------------------+-------------
-4 | file-provider | default-key
(1 row)
-- fails
SELECT pg_tde_delete_global_key_provider('file-provider');
ERROR: Can't delete a provider which is currently in use

19
contrib/pg_tde/pg_tde--1.0-rc.sql
Unescape View File

@ -455,6 +455,11 @@ RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
CREATE FUNCTION pg_tde_verify_default_key()
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
CREATE FUNCTION pg_tde_key_info()
RETURNS TABLE ( key_name text,
key_provider_name text,
@ -464,6 +469,14 @@ LANGUAGE C
AS 'MODULE_PATHNAME';
CREATE FUNCTION pg_tde_server_key_info()
RETURNS TABLE ( key_name text,
key_provider_name text,
key_provider_id integer,
key_createion_time timestamp with time zone)
LANGUAGE C
AS 'MODULE_PATHNAME';
CREATE FUNCTION pg_tde_default_key_info()
RETURNS TABLE ( key_name text,
key_provider_name text,
key_provider_id integer,
@ -591,8 +604,11 @@ BEGIN
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_key_info() TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_server_key_info() TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_default_key_info() TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_key() TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_server_key() TO %I', target_role);
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_default_key() TO %I', target_role);
END;
$$;
@ -672,8 +688,11 @@ BEGIN
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_key_info() FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_server_key_info() FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_default_key_info() FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_key() FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_server_key() FROM %I', target_role);
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_default_key() FROM %I', target_role);
END;
$$;

11
contrib/pg_tde/sql/default_principal_key.sql
Unescape View File

@ -3,7 +3,18 @@ CREATE EXTENSION IF NOT EXISTS pg_buffercache;
SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_regression_default_key.per');
-- Should fail: no default principal key for the server yet
SELECT pg_tde_verify_default_key();
-- Should fail: no default principal key for the server yet
SELECT key_provider_id, key_provider_name, key_name
FROM pg_tde_default_key_info();
SELECT pg_tde_set_default_key_using_global_key_provider('default-key', 'file-provider', false);
SELECT pg_tde_verify_default_key();
SELECT key_provider_id, key_provider_name, key_name
FROM pg_tde_default_key_info();
-- fails
SELECT pg_tde_delete_global_key_provider('file-provider');

14
contrib/pg_tde/src/catalog/tde_principal_key.c
Unescape View File

@ -54,6 +54,7 @@ PG_FUNCTION_INFO_V1(pg_tde_delete_global_key_provider);
PG_FUNCTION_INFO_V1(pg_tde_verify_key);
PG_FUNCTION_INFO_V1(pg_tde_verify_server_key);
PG_FUNCTION_INFO_V1(pg_tde_verify_default_key);
typedef struct TdePrincipalKeySharedState
{
@ -607,6 +608,13 @@ pg_tde_server_key_info(PG_FUNCTION_ARGS)
return pg_tde_get_key_info(fcinfo, GLOBAL_DATA_TDE_OID);
}
PG_FUNCTION_INFO_V1(pg_tde_default_key_info);
Datum
pg_tde_default_key_info(PG_FUNCTION_ARGS)
{
return pg_tde_get_key_info(fcinfo, DEFAULT_DATA_TDE_OID);
}
Datum
pg_tde_verify_key(PG_FUNCTION_ARGS)
{
@ -619,6 +627,12 @@ pg_tde_verify_server_key(PG_FUNCTION_ARGS)
return pg_tde_verify_principal_key_internal(GLOBAL_DATA_TDE_OID);
}
Datum
pg_tde_verify_default_key(PG_FUNCTION_ARGS)
{
return pg_tde_verify_principal_key_internal(DEFAULT_DATA_TDE_OID);
}
static Datum
pg_tde_get_key_info(PG_FUNCTION_ARGS, Oid dbOid)
{

Write Preview
Loading…
Cancel
Save