Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add config var to enable or disable event trigger function. #94

Merged
merged 3 commits into from
Nov 1, 2023
Merged

Add config var to enable or disable event trigger function. #94

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3a01bad
Add config var to enable or disable event trigger function.
michelp Sep 29, 2023
6524209
add helper view to easily show labeled columns.
michelp Oct 4, 2023
8fec16a
catch empty strings or bytes and throw error.
michelp Oct 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions sql/pgsodium--3.1.8--3.1.9.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,3 +125,40 @@ $$
LANGUAGE plpgsql
SET search_path=''
;

CREATE OR REPLACE FUNCTION pgsodium.trg_mask_update()
RETURNS EVENT_TRIGGER AS
$$
DECLARE
r record;
BEGIN
IF (SELECT bool_or(in_extension) FROM pg_event_trigger_ddl_commands()) THEN
RAISE NOTICE 'skipping pgsodium mask regeneration in extension';
RETURN;
ELSIF current_setting('pgsodium.enable_event_trigger') <> 'on' THEN
RAISE NOTICE 'skipping pgsodium mask regeneration due to false pgsodium.enable_event_trigger';
RETURN;
END IF;

FOR r IN
SELECT e.*
FROM pg_event_trigger_ddl_commands() e
WHERE EXISTS (
SELECT FROM pg_catalog.pg_class c
JOIN pg_catalog.pg_seclabel s ON s.classoid = c.tableoid
AND s.objoid = c.oid
WHERE c.tableoid = e.classid
AND e.objid = c.oid
AND s.provider = 'pgsodium'
)
LOOP
IF r.object_type in ('table', 'table column')
THEN
PERFORM pgsodium.update_mask(r.objid);
END IF;
END LOOP;
END
$$
LANGUAGE plpgsql
SET search_path=''
;
13 changes: 12 additions & 1 deletion src/pgsodium.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ PG_MODULE_MAGIC;

bytea *pgsodium_secret_key;
static char *getkey_script = NULL;
static bool enable_event_trigger = true;

/*
* Checking the syntax of the masking rules
Expand Down Expand Up @@ -120,10 +121,20 @@ _PG_init (void)
/* Security label provider hook */
register_label_provider ("pgsodium", pgsodium_object_relabel);

// we're done if not preloaded, otherwise try to get internal shared key
// we're done if not preloaded
if (!process_shared_preload_libraries_in_progress)
return;

// Variable to enable/disable event trigger
DefineCustomBoolVariable("pgsodium.enable_event_trigger",
"Variable to enable/disable event trigger that regenerates triggers and views.",
NULL,
&enable_event_trigger,
true,
PGC_USERSET, 0,
NULL, NULL, NULL);

// try to get internal shared key
path = (char *) palloc0 (MAXPGPATH);
get_share_path (my_exec_path, sharepath);
snprintf (path, MAXPGPATH, "%s/extension/%s", sharepath, PG_GETKEY_EXEC);
Expand Down
2 changes: 1 addition & 1 deletion test/pgsodium_schema.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5604,7 +5604,7 @@ SELECT function_privs_are('pgsodium'::name, proname, proargtypes::regtype[]::tex
AND oidvectortypes(proargtypes) = 'bytea';

SELECT unnest(ARRAY[
is(md5(prosrc), 'b8b02682e0138dc894512f55587db8d4',
is(md5(prosrc), '7e6641f8c9f661514f123598b1ca2448',
format('Function pgsodium.%s(%s) body should match checksum',
proname, pg_get_function_identity_arguments(oid))
),
Expand Down
35 changes: 32 additions & 3 deletions test/tce.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,16 +139,45 @@ select ok(has_table_privilege('bobo', 'private.bar', 'SELECT'),

select ok(has_table_privilege('bobo', 'private.other_bar', 'SELECT'),
'user keeps view select privs after regeneration');

select ok(has_table_privilege('bobo', 'private.other_bar', 'INSERT'),
'user keeps view insert privs after regeneration');

select ok(has_table_privilege('bobo', 'private.other_bar', 'UPDATE'),
'user keeps view update privs after regeneration');

select ok(has_table_privilege('bobo', 'private.other_bar', 'DELETE'),
'user keeps view delete privs after regeneration');

SET pgsodium.enable_event_trigger = 'off';

CREATE TABLE private.fooz(
secret text
);

SELECT lives_ok(
format($test$
SECURITY LABEL FOR pgsodium ON COLUMN private.fooz.secret
IS 'ENCRYPT WITH KEY ID %s'
$test$, :'secret_key_id'),
'can label column for encryption with event trigger disabled');

SELECT hasnt_view('private', 'decrypted_fooz', 'Dynamic view was not created due to disabled event trigger.');

SELECT hasnt_trigger('private', 'fooz', 'fooz_encrypt_secret_trigger_secret',
'Dynamic trigger was not created due to disabled event trigger.');

SELECT lives_ok(
$test$SELECT pgsodium.update_mask('private.fooz'::regclass);$test$,
'can manually create trigger and view with event trigger disabled.');

SELECT has_view('private', 'decrypted_fooz', 'Dynamic view was created manually.');

SELECT has_trigger('private', 'fooz', 'fooz_encrypt_secret_trigger_secret',
'Dynamic trigger was created manually.');

RESET pgsodium.enable_event_trigger;

SET SESSION AUTHORIZATION bobo;
SET ROLE bobo;

Expand Down