From b364c54c7e14793456e11e9a5c1300a9e63905dd Mon Sep 17 00:00:00 2001 From: Andreas Karlsson Date: Fri, 30 May 2025 23:28:54 +0200 Subject: [PATCH] Remove undocumented shorthand for when setting keys If we passed NULL as the pkey provider name we used to pick the current key provider which was an undcoumented feature which made the code and API harder to understand. Let's jsut remove it and see if people complain. --- contrib/pg_tde/expected/key_provider.out | 9 ++++++ contrib/pg_tde/pg_tde--1.0-rc.sql | 8 ++--- contrib/pg_tde/sql/key_provider.sql | 6 ++++ .../pg_tde/src/catalog/tde_principal_key.c | 31 +++++-------------- contrib/pg_tde/t/002_rotate_key.pl | 3 +- contrib/pg_tde/t/expected/002_rotate_key.out | 2 +- 6 files changed, 30 insertions(+), 29 deletions(-) diff --git a/contrib/pg_tde/expected/key_provider.out b/contrib/pg_tde/expected/key_provider.out index fbf9eec4d90a0..0f25523b733e9 100644 --- a/contrib/pg_tde/expected/key_provider.out +++ b/contrib/pg_tde/expected/key_provider.out @@ -328,6 +328,15 @@ SELECT pg_tde_delete_database_key_provider(NULL); ERROR: provider_name cannot be null SELECT pg_tde_delete_global_key_provider(NULL); ERROR: provider_name cannot be null +-- Setting principal key fails if provider name is NULL +SELECT pg_tde_set_default_key_using_global_key_provider('key', NULL); +ERROR: key provider name cannot be null +SELECT pg_tde_set_key_using_database_key_provider('key', NULL); +ERROR: key provider name cannot be null +SELECT pg_tde_set_key_using_global_key_provider('key', NULL); +ERROR: key provider name cannot be null +SELECT pg_tde_set_server_key_using_global_key_provider('key', NULL); +ERROR: key provider name cannot be null -- Setting principal key fails if key name is NULL SELECT pg_tde_set_default_key_using_global_key_provider(NULL, 'file-keyring'); ERROR: key name cannot be null diff --git a/contrib/pg_tde/pg_tde--1.0-rc.sql b/contrib/pg_tde/pg_tde--1.0-rc.sql index 64e4c0c100b6d..6df3771aeaaf5 100644 --- a/contrib/pg_tde/pg_tde--1.0-rc.sql +++ b/contrib/pg_tde/pg_tde--1.0-rc.sql @@ -419,22 +419,22 @@ STRICT LANGUAGE C AS 'MODULE_PATHNAME'; -CREATE FUNCTION pg_tde_set_key_using_database_key_provider(key_name TEXT, provider_name TEXT DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE) +CREATE FUNCTION pg_tde_set_key_using_database_key_provider(key_name TEXT, provider_name TEXT, ensure_new_key BOOLEAN DEFAULT FALSE) RETURNS VOID LANGUAGE C AS 'MODULE_PATHNAME'; -CREATE FUNCTION pg_tde_set_key_using_global_key_provider(key_name TEXT, provider_name TEXT DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE) +CREATE FUNCTION pg_tde_set_key_using_global_key_provider(key_name TEXT, provider_name TEXT, ensure_new_key BOOLEAN DEFAULT FALSE) RETURNS VOID LANGUAGE C AS 'MODULE_PATHNAME'; -CREATE FUNCTION pg_tde_set_server_key_using_global_key_provider(key_name TEXT, provider_name TEXT DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE) +CREATE FUNCTION pg_tde_set_server_key_using_global_key_provider(key_name TEXT, provider_name TEXT, ensure_new_key BOOLEAN DEFAULT FALSE) RETURNS VOID LANGUAGE C AS 'MODULE_PATHNAME'; -CREATE FUNCTION pg_tde_set_default_key_using_global_key_provider(key_name TEXT, provider_name TEXT DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE) +CREATE FUNCTION pg_tde_set_default_key_using_global_key_provider(key_name TEXT, provider_name TEXT, ensure_new_key BOOLEAN DEFAULT FALSE) RETURNS VOID AS 'MODULE_PATHNAME' LANGUAGE C; diff --git a/contrib/pg_tde/sql/key_provider.sql b/contrib/pg_tde/sql/key_provider.sql index 665aa28049be1..81437df9cd5ce 100644 --- a/contrib/pg_tde/sql/key_provider.sql +++ b/contrib/pg_tde/sql/key_provider.sql @@ -160,6 +160,12 @@ DROP DATABASE db_using_database_provider; SELECT pg_tde_delete_database_key_provider(NULL); SELECT pg_tde_delete_global_key_provider(NULL); +-- Setting principal key fails if provider name is NULL +SELECT pg_tde_set_default_key_using_global_key_provider('key', NULL); +SELECT pg_tde_set_key_using_database_key_provider('key', NULL); +SELECT pg_tde_set_key_using_global_key_provider('key', NULL); +SELECT pg_tde_set_server_key_using_global_key_provider('key', NULL); + -- Setting principal key fails if key name is NULL SELECT pg_tde_set_default_key_using_global_key_provider(NULL, 'file-keyring'); SELECT pg_tde_set_key_using_database_key_provider(NULL, 'file-keyring'); diff --git a/contrib/pg_tde/src/catalog/tde_principal_key.c b/contrib/pg_tde/src/catalog/tde_principal_key.c index ab4516a8a6e2e..5e73d35bbda35 100644 --- a/contrib/pg_tde/src/catalog/tde_principal_key.c +++ b/contrib/pg_tde/src/catalog/tde_principal_key.c @@ -228,10 +228,10 @@ void set_principal_key_with_keyring(const char *key_name, const char *provider_name, Oid providerOid, Oid dbOid, bool ensure_new_key) { - TDEPrincipalKey *curr_principal_key = NULL; - TDEPrincipalKey *new_principal_key = NULL; + TDEPrincipalKey *curr_principal_key; + TDEPrincipalKey *new_principal_key; LWLock *lock_files = tde_lwlock_enc_keys(); - bool already_has_key = false; + bool already_has_key; GenericKeyring *new_keyring; const KeyInfo *keyInfo = NULL; @@ -249,21 +249,7 @@ set_principal_key_with_keyring(const char *key_name, const char *provider_name, curr_principal_key = GetPrincipalKeyNoDefault(dbOid, LW_EXCLUSIVE); already_has_key = (curr_principal_key != NULL); - if (provider_name == NULL && !already_has_key) - { - ereport(ERROR, - errmsg("provider_name is a required parameter when creating the first principal key for a database")); - } - - if (provider_name != NULL) - { - new_keyring = GetKeyProviderByName(provider_name, providerOid); - } - else - { - new_keyring = GetKeyProviderByID(curr_principal_key->keyInfo.keyringId, - curr_principal_key->keyInfo.databaseId); - } + new_keyring = GetKeyProviderByName(provider_name, providerOid); { KeyringReturnCodes kr_ret; @@ -292,11 +278,6 @@ set_principal_key_with_keyring(const char *key_name, const char *provider_name, if (keyInfo == NULL) keyInfo = KeyringGenerateNewKeyAndStore(new_keyring, key_name, PRINCIPAL_KEY_LEN); - if (keyInfo == NULL) - { - ereport(ERROR, errmsg("failed to retrieve/create principal key.")); - } - new_principal_key = palloc_object(TDEPrincipalKey); new_principal_key->keyInfo.databaseId = dbOid; new_principal_key->keyInfo.keyringId = new_keyring->keyring_id; @@ -549,6 +530,10 @@ pg_tde_set_principal_key_internal(Oid providerOid, Oid dbOid, const char *key_na ereport(ERROR, errcode(ERRCODE_INVALID_PARAMETER_VALUE), errmsg("key name \"\" is too short")); + if (provider_name == NULL) + ereport(ERROR, + errcode(ERRCODE_NULL_VALUE_NOT_ALLOWED), + errmsg("key provider name cannot be null")); ereport(LOG, errmsg("Setting principal key [%s : %s] for the database", key_name, provider_name)); diff --git a/contrib/pg_tde/t/002_rotate_key.pl b/contrib/pg_tde/t/002_rotate_key.pl index eb188448a999c..02da31aca98b8 100644 --- a/contrib/pg_tde/t/002_rotate_key.pl +++ b/contrib/pg_tde/t/002_rotate_key.pl @@ -46,7 +46,8 @@ # Rotate key PGTDE::psql($node, 'postgres', - "SELECT pg_tde_set_key_using_database_key_provider('rotated-key1');"); + "SELECT pg_tde_set_key_using_database_key_provider('rotated-key1', 'file-vault');" +); PGTDE::psql($node, 'postgres', 'SELECT * FROM test_enc ORDER BY id;'); PGTDE::append_to_result_file("-- server restart"); diff --git a/contrib/pg_tde/t/expected/002_rotate_key.out b/contrib/pg_tde/t/expected/002_rotate_key.out index 0a4b5c65eda0d..4f7a729433615 100644 --- a/contrib/pg_tde/t/expected/002_rotate_key.out +++ b/contrib/pg_tde/t/expected/002_rotate_key.out @@ -45,7 +45,7 @@ SELECT * FROM test_enc ORDER BY id; 2 | 6 (2 rows) -SELECT pg_tde_set_key_using_database_key_provider('rotated-key1'); +SELECT pg_tde_set_key_using_database_key_provider('rotated-key1', 'file-vault'); pg_tde_set_key_using_database_key_provider --------------------------------------------