The function this message referenced does not exist, and even if it did
it wouldn't create keys.
Also error hint messages are supposed to be full sentences with capital
letter and period.
We no longer run these tests when pg_tde is turned on globally.
There is no reason for us to CREATE IF NOT EXISTS in tests as we should
_know_ what state the database is in when running them.
Add new functions pg_tde_create_key_using_database/global_key_provider()
to create keys instead of key creation being a side effect of setting
the key.
Also remove support for "create if not exists" semantics as any user
should know what keys their key provider contains.
Numbered TAP tests were done so following the core. However, there is
no reason for this, and it creates complications when, for example, we
need to remove some tests. Besides, regression tests are in
alphabetical order.
Even though we do have some access control in most of our C functions,
it seems dangerous to not revoke them from public by default. A
whitelist of allowed functions seems safer than a black list. Also
include non-C functions which are security definer.
The returned provider id was not useful for end-users as they cannot do
anything with it. They always use the provider name when interacting
with these settings.
If they really want to see these ids they can easily just use the functions
to list all providers to see them.
The reason for this change is that it might be confusing for users when
the function to create a global provider returns -1 on success without
any indication that it's just the generated id and not an error code.
Don't decrypt relation keys until they're actually needed. In some cases
tde_mdopen() is called after the transaction is committed which means
that we're not longer able to abort the transaction if we fail when we
fetch the principal key.
This happens, for example, if dropping an encrypted table. Previously
this would cause postmaster to panic if it didn't have access to the
principal key.
This simplifies working with tests a lot since now we will also always
get the errors from failed queries directly in the test output instead
of it being truncated when the TAP tests aborts due to the query
failing.
There is still a good case for why we should instead write idiomatic TAP
tests but this at least does a lot to improve the expereince of people
who have to work with these tests without changing the way the tests
work. Plus that the code is cleaner now so it should be easier to move
away from this way of testing in the future.
* The make CI action now also runs the entire installcheck-world
with pg_tde setup for all tests
* The meson CI runner doesn't do this yet
* Tools that only worked with the heap am based on an OID check now
also check for the tde_heap OID
* The get_tde_table_am_oid helper function is now moved inside the core,
as it is required by other contrib modules, which do not have access
to the tde code otherwise.
* A few tests that do a custom server setup was disabled based on the
TDE_MODE environment variable. These tests would fail because they
expect that after an initdb and start, the regression suite works,
but that's not the case with tde_heap. These tests can be re-enabled
again after we have options to do this with initdb
This commit disables padding for the fork file encryption to fix the
above warning, and also contains related test / logging improvements.
The meson test runner is also restricted to one process to workaround
issues where multiple processes write the same keyring data file,
resulting in randomly failing test executions.
Fork file encryption was missing from the previous pull requests,
resulting in the server not initializing the keyring on normal executions,
and because of this, missing if the keyring configuration wasn't specified
at all.
Fixes#46
Anders Åstrand