From c8dd16849fb4fcd8ac7103c83aa16aeb7c4abdd7 Mon Sep 17 00:00:00 2001
From: Artem Gavrilov <artem.gavrilov@percona.com>
Date: Fri, 11 Apr 2025 16:32:13 +0200
Subject: [PATCH] PG-1458 Add default key info/verify funcions

---
 .../pg_tde/documentation/docs/functions.md    | 24 +++++++++++++++++++
 .../pg_tde/expected/default_principal_key.out | 21 ++++++++++++++++
 .../expected/default_principal_key_1.out      | 21 ++++++++++++++++
 contrib/pg_tde/pg_tde--1.0-rc.sql             | 19 +++++++++++++++
 contrib/pg_tde/sql/default_principal_key.sql  | 11 +++++++++
 .../pg_tde/src/catalog/tde_principal_key.c    | 14 +++++++++++
 6 files changed, 110 insertions(+)

diff --git a/contrib/pg_tde/documentation/docs/functions.md b/contrib/pg_tde/documentation/docs/functions.md
index 80f858f4f4f..fb2fafe5133 100644
--- a/contrib/pg_tde/documentation/docs/functions.md
+++ b/contrib/pg_tde/documentation/docs/functions.md
@@ -298,6 +298,14 @@ Displays information about the principal key for the server scope, if exists.
 SELECT pg_tde_server_key_info()
 ```
 
+### pg_tde_default_key_info
+
+Displays the information about the default principal key, if it exists.
+
+```
+SELECT pg_tde_default_key_info()
+```
+
 ### pg_tde_verify_key
 
 This function checks that the current database has a properly functional encryption setup, which means:
@@ -329,3 +337,19 @@ If any of the above checks fail, the function reports an error.
 ```
 SELECT pg_tde_verify_server_key()
 ```
+
+### pg_tde_verify_default_key
+
+This function checks that the default key is properly configured, which means:
+
+* A key provider is configured
+* The key provider is accessible using the specified configuration
+* There is a principal key that can be used for any scope
+* The principal key can be retrieved from the remote key provider
+* The principal key returned from the key provider is the same as cached in the server memory
+
+If any of the above checks fail, the function reports an error.
+
+```
+SELECT pg_tde_verify_default_key()
+```
diff --git a/contrib/pg_tde/expected/default_principal_key.out b/contrib/pg_tde/expected/default_principal_key.out
index 75c64ffc022..0bae2551e2f 100644
--- a/contrib/pg_tde/expected/default_principal_key.out
+++ b/contrib/pg_tde/expected/default_principal_key.out
@@ -6,12 +6,33 @@ SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_regressi
                                   -3
 (1 row)
 
+-- Should fail: no default principal key for the server yet
+SELECT pg_tde_verify_default_key();
+ERROR:  principal key not configured for current database
+-- Should fail: no default principal key for the server yet
+SELECT key_provider_id, key_provider_name, key_name 
+		FROM pg_tde_default_key_info();
+ERROR:  Principal key does not exists for the database
+HINT:  Use set_key interface to set the principal key
 SELECT pg_tde_set_default_key_using_global_key_provider('default-key', 'file-provider', false);
  pg_tde_set_default_key_using_global_key_provider 
 --------------------------------------------------
  
 (1 row)
 
+SELECT pg_tde_verify_default_key();
+ pg_tde_verify_default_key 
+---------------------------
+ 
+(1 row)
+
+SELECT key_provider_id, key_provider_name, key_name 
+		FROM pg_tde_default_key_info();
+ key_provider_id | key_provider_name |  key_name   
+-----------------+-------------------+-------------
+              -3 | file-provider     | default-key
+(1 row)
+
 -- fails
 SELECT pg_tde_delete_global_key_provider('file-provider');
 ERROR:  Can't delete a provider which is currently in use
diff --git a/contrib/pg_tde/expected/default_principal_key_1.out b/contrib/pg_tde/expected/default_principal_key_1.out
index 589b9f81228..9ad23893325 100644
--- a/contrib/pg_tde/expected/default_principal_key_1.out
+++ b/contrib/pg_tde/expected/default_principal_key_1.out
@@ -6,12 +6,33 @@ SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_regressi
                                   -4
 (1 row)
 
+-- Should fail: no default principal key for the server yet
+SELECT pg_tde_verify_default_key();
+ERROR:  principal key not configured for current database
+-- Should fail: no default principal key for the server yet
+SELECT key_provider_id, key_provider_name, key_name 
+		FROM pg_tde_default_key_info();
+ERROR:  Principal key does not exists for the database
+HINT:  Use set_key interface to set the principal key
 SELECT pg_tde_set_default_key_using_global_key_provider('default-key', 'file-provider', false);
  pg_tde_set_default_key_using_global_key_provider 
 --------------------------------------------------
  
 (1 row)
 
+SELECT pg_tde_verify_default_key();
+ pg_tde_verify_default_key 
+---------------------------
+ 
+(1 row)
+
+SELECT key_provider_id, key_provider_name, key_name 
+		FROM pg_tde_default_key_info();
+ key_provider_id | key_provider_name |  key_name   
+-----------------+-------------------+-------------
+              -4 | file-provider     | default-key
+(1 row)
+
 -- fails
 SELECT pg_tde_delete_global_key_provider('file-provider');
 ERROR:  Can't delete a provider which is currently in use
diff --git a/contrib/pg_tde/pg_tde--1.0-rc.sql b/contrib/pg_tde/pg_tde--1.0-rc.sql
index 7531578bdfe..03de0ea5fb7 100644
--- a/contrib/pg_tde/pg_tde--1.0-rc.sql
+++ b/contrib/pg_tde/pg_tde--1.0-rc.sql
@@ -455,6 +455,11 @@ RETURNS VOID
 LANGUAGE C
 AS 'MODULE_PATHNAME';
 
+CREATE FUNCTION pg_tde_verify_default_key()
+RETURNS VOID
+LANGUAGE C
+AS 'MODULE_PATHNAME';
+
 CREATE FUNCTION pg_tde_key_info()
 RETURNS TABLE ( key_name text,
                 key_provider_name text,
@@ -464,6 +469,14 @@ LANGUAGE C
 AS 'MODULE_PATHNAME';
 
 CREATE FUNCTION pg_tde_server_key_info()
+RETURNS TABLE ( key_name text,
+                key_provider_name text,
+                key_provider_id integer,
+                key_createion_time timestamp with time zone)
+LANGUAGE C
+AS 'MODULE_PATHNAME';
+
+CREATE FUNCTION pg_tde_default_key_info()
 RETURNS TABLE ( key_name text,
                 key_provider_name text,     
                 key_provider_id integer,
@@ -591,8 +604,11 @@ BEGIN
 
     EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_key_info() TO %I', target_role);
     EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_server_key_info() TO %I', target_role);
+    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_default_key_info() TO %I', target_role);
+
     EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_key() TO %I', target_role);
     EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_server_key() TO %I', target_role);
+    EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_default_key() TO %I', target_role);
 END;
 $$;
 
@@ -672,8 +688,11 @@ BEGIN
 
     EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_key_info() FROM %I', target_role);
     EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_server_key_info() FROM %I', target_role);
+    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_default_key_info() FROM %I', target_role);
+
     EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_key() FROM %I', target_role);
     EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_server_key() FROM %I', target_role);
+    EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_default_key() FROM %I', target_role);
 END;
 $$;
 
diff --git a/contrib/pg_tde/sql/default_principal_key.sql b/contrib/pg_tde/sql/default_principal_key.sql
index e9c5a67a89a..9a100a2a0d3 100644
--- a/contrib/pg_tde/sql/default_principal_key.sql
+++ b/contrib/pg_tde/sql/default_principal_key.sql
@@ -3,7 +3,18 @@ CREATE EXTENSION IF NOT EXISTS pg_buffercache;
 
 SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_regression_default_key.per');
 
+-- Should fail: no default principal key for the server yet
+SELECT pg_tde_verify_default_key();
+
+-- Should fail: no default principal key for the server yet
+SELECT key_provider_id, key_provider_name, key_name 
+		FROM pg_tde_default_key_info();
+
 SELECT pg_tde_set_default_key_using_global_key_provider('default-key', 'file-provider', false);
+SELECT pg_tde_verify_default_key();
+
+SELECT key_provider_id, key_provider_name, key_name 
+		FROM pg_tde_default_key_info();
 
 -- fails
 SELECT pg_tde_delete_global_key_provider('file-provider');
diff --git a/contrib/pg_tde/src/catalog/tde_principal_key.c b/contrib/pg_tde/src/catalog/tde_principal_key.c
index cfd87f9aab0..2472431462f 100644
--- a/contrib/pg_tde/src/catalog/tde_principal_key.c
+++ b/contrib/pg_tde/src/catalog/tde_principal_key.c
@@ -54,6 +54,7 @@ PG_FUNCTION_INFO_V1(pg_tde_delete_global_key_provider);
 
 PG_FUNCTION_INFO_V1(pg_tde_verify_key);
 PG_FUNCTION_INFO_V1(pg_tde_verify_server_key);
+PG_FUNCTION_INFO_V1(pg_tde_verify_default_key);
 
 typedef struct TdePrincipalKeySharedState
 {
@@ -607,6 +608,13 @@ pg_tde_server_key_info(PG_FUNCTION_ARGS)
 	return pg_tde_get_key_info(fcinfo, GLOBAL_DATA_TDE_OID);
 }
 
+PG_FUNCTION_INFO_V1(pg_tde_default_key_info);
+Datum
+pg_tde_default_key_info(PG_FUNCTION_ARGS)
+{
+	return pg_tde_get_key_info(fcinfo, DEFAULT_DATA_TDE_OID);
+}
+
 Datum
 pg_tde_verify_key(PG_FUNCTION_ARGS)
 {
@@ -619,6 +627,12 @@ pg_tde_verify_server_key(PG_FUNCTION_ARGS)
 	return pg_tde_verify_principal_key_internal(GLOBAL_DATA_TDE_OID);
 }
 
+Datum
+pg_tde_verify_default_key(PG_FUNCTION_ARGS)
+{
+	return pg_tde_verify_principal_key_internal(DEFAULT_DATA_TDE_OID);
+}
+
 static Datum
 pg_tde_get_key_info(PG_FUNCTION_ARGS, Oid dbOid)
 {