diff --git a/contrib/pg_tde/expected/key_provider.out b/contrib/pg_tde/expected/key_provider.out index fbf9eec4d90a0..0f25523b733e9 100644 --- a/contrib/pg_tde/expected/key_provider.out +++ b/contrib/pg_tde/expected/key_provider.out @@ -328,6 +328,15 @@ SELECT pg_tde_delete_database_key_provider(NULL); ERROR: provider_name cannot be null SELECT pg_tde_delete_global_key_provider(NULL); ERROR: provider_name cannot be null +-- Setting principal key fails if provider name is NULL +SELECT pg_tde_set_default_key_using_global_key_provider('key', NULL); +ERROR: key provider name cannot be null +SELECT pg_tde_set_key_using_database_key_provider('key', NULL); +ERROR: key provider name cannot be null +SELECT pg_tde_set_key_using_global_key_provider('key', NULL); +ERROR: key provider name cannot be null +SELECT pg_tde_set_server_key_using_global_key_provider('key', NULL); +ERROR: key provider name cannot be null -- Setting principal key fails if key name is NULL SELECT pg_tde_set_default_key_using_global_key_provider(NULL, 'file-keyring'); ERROR: key name cannot be null diff --git a/contrib/pg_tde/pg_tde--1.0-rc.sql b/contrib/pg_tde/pg_tde--1.0-rc.sql index 64e4c0c100b6d..6df3771aeaaf5 100644 --- a/contrib/pg_tde/pg_tde--1.0-rc.sql +++ b/contrib/pg_tde/pg_tde--1.0-rc.sql @@ -419,22 +419,22 @@ STRICT LANGUAGE C AS 'MODULE_PATHNAME'; -CREATE FUNCTION pg_tde_set_key_using_database_key_provider(key_name TEXT, provider_name TEXT DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE) +CREATE FUNCTION pg_tde_set_key_using_database_key_provider(key_name TEXT, provider_name TEXT, ensure_new_key BOOLEAN DEFAULT FALSE) RETURNS VOID LANGUAGE C AS 'MODULE_PATHNAME'; -CREATE FUNCTION pg_tde_set_key_using_global_key_provider(key_name TEXT, provider_name TEXT DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE) +CREATE FUNCTION pg_tde_set_key_using_global_key_provider(key_name TEXT, provider_name TEXT, ensure_new_key BOOLEAN DEFAULT FALSE) RETURNS VOID LANGUAGE C AS 'MODULE_PATHNAME'; -CREATE FUNCTION pg_tde_set_server_key_using_global_key_provider(key_name TEXT, provider_name TEXT DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE) +CREATE FUNCTION pg_tde_set_server_key_using_global_key_provider(key_name TEXT, provider_name TEXT, ensure_new_key BOOLEAN DEFAULT FALSE) RETURNS VOID LANGUAGE C AS 'MODULE_PATHNAME'; -CREATE FUNCTION pg_tde_set_default_key_using_global_key_provider(key_name TEXT, provider_name TEXT DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE) +CREATE FUNCTION pg_tde_set_default_key_using_global_key_provider(key_name TEXT, provider_name TEXT, ensure_new_key BOOLEAN DEFAULT FALSE) RETURNS VOID AS 'MODULE_PATHNAME' LANGUAGE C; diff --git a/contrib/pg_tde/sql/key_provider.sql b/contrib/pg_tde/sql/key_provider.sql index 665aa28049be1..81437df9cd5ce 100644 --- a/contrib/pg_tde/sql/key_provider.sql +++ b/contrib/pg_tde/sql/key_provider.sql @@ -160,6 +160,12 @@ DROP DATABASE db_using_database_provider; SELECT pg_tde_delete_database_key_provider(NULL); SELECT pg_tde_delete_global_key_provider(NULL); +-- Setting principal key fails if provider name is NULL +SELECT pg_tde_set_default_key_using_global_key_provider('key', NULL); +SELECT pg_tde_set_key_using_database_key_provider('key', NULL); +SELECT pg_tde_set_key_using_global_key_provider('key', NULL); +SELECT pg_tde_set_server_key_using_global_key_provider('key', NULL); + -- Setting principal key fails if key name is NULL SELECT pg_tde_set_default_key_using_global_key_provider(NULL, 'file-keyring'); SELECT pg_tde_set_key_using_database_key_provider(NULL, 'file-keyring'); diff --git a/contrib/pg_tde/src/catalog/tde_principal_key.c b/contrib/pg_tde/src/catalog/tde_principal_key.c index ab4516a8a6e2e..5e73d35bbda35 100644 --- a/contrib/pg_tde/src/catalog/tde_principal_key.c +++ b/contrib/pg_tde/src/catalog/tde_principal_key.c @@ -228,10 +228,10 @@ void set_principal_key_with_keyring(const char *key_name, const char *provider_name, Oid providerOid, Oid dbOid, bool ensure_new_key) { - TDEPrincipalKey *curr_principal_key = NULL; - TDEPrincipalKey *new_principal_key = NULL; + TDEPrincipalKey *curr_principal_key; + TDEPrincipalKey *new_principal_key; LWLock *lock_files = tde_lwlock_enc_keys(); - bool already_has_key = false; + bool already_has_key; GenericKeyring *new_keyring; const KeyInfo *keyInfo = NULL; @@ -249,21 +249,7 @@ set_principal_key_with_keyring(const char *key_name, const char *provider_name, curr_principal_key = GetPrincipalKeyNoDefault(dbOid, LW_EXCLUSIVE); already_has_key = (curr_principal_key != NULL); - if (provider_name == NULL && !already_has_key) - { - ereport(ERROR, - errmsg("provider_name is a required parameter when creating the first principal key for a database")); - } - - if (provider_name != NULL) - { - new_keyring = GetKeyProviderByName(provider_name, providerOid); - } - else - { - new_keyring = GetKeyProviderByID(curr_principal_key->keyInfo.keyringId, - curr_principal_key->keyInfo.databaseId); - } + new_keyring = GetKeyProviderByName(provider_name, providerOid); { KeyringReturnCodes kr_ret; @@ -292,11 +278,6 @@ set_principal_key_with_keyring(const char *key_name, const char *provider_name, if (keyInfo == NULL) keyInfo = KeyringGenerateNewKeyAndStore(new_keyring, key_name, PRINCIPAL_KEY_LEN); - if (keyInfo == NULL) - { - ereport(ERROR, errmsg("failed to retrieve/create principal key.")); - } - new_principal_key = palloc_object(TDEPrincipalKey); new_principal_key->keyInfo.databaseId = dbOid; new_principal_key->keyInfo.keyringId = new_keyring->keyring_id; @@ -549,6 +530,10 @@ pg_tde_set_principal_key_internal(Oid providerOid, Oid dbOid, const char *key_na ereport(ERROR, errcode(ERRCODE_INVALID_PARAMETER_VALUE), errmsg("key name \"\" is too short")); + if (provider_name == NULL) + ereport(ERROR, + errcode(ERRCODE_NULL_VALUE_NOT_ALLOWED), + errmsg("key provider name cannot be null")); ereport(LOG, errmsg("Setting principal key [%s : %s] for the database", key_name, provider_name)); diff --git a/contrib/pg_tde/t/002_rotate_key.pl b/contrib/pg_tde/t/002_rotate_key.pl index eb188448a999c..02da31aca98b8 100644 --- a/contrib/pg_tde/t/002_rotate_key.pl +++ b/contrib/pg_tde/t/002_rotate_key.pl @@ -46,7 +46,8 @@ # Rotate key PGTDE::psql($node, 'postgres', - "SELECT pg_tde_set_key_using_database_key_provider('rotated-key1');"); + "SELECT pg_tde_set_key_using_database_key_provider('rotated-key1', 'file-vault');" +); PGTDE::psql($node, 'postgres', 'SELECT * FROM test_enc ORDER BY id;'); PGTDE::append_to_result_file("-- server restart"); diff --git a/contrib/pg_tde/t/expected/002_rotate_key.out b/contrib/pg_tde/t/expected/002_rotate_key.out index 0a4b5c65eda0d..4f7a729433615 100644 --- a/contrib/pg_tde/t/expected/002_rotate_key.out +++ b/contrib/pg_tde/t/expected/002_rotate_key.out @@ -45,7 +45,7 @@ SELECT * FROM test_enc ORDER BY id; 2 | 6 (2 rows) -SELECT pg_tde_set_key_using_database_key_provider('rotated-key1'); +SELECT pg_tde_set_key_using_database_key_provider('rotated-key1', 'file-vault'); pg_tde_set_key_using_database_key_provider --------------------------------------------