Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor tce #86

Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open

Refactor tce #86

wants to merge 16 commits into from

Conversation

ioguix
Copy link
Collaborator

@ioguix ioguix commented Jun 21, 2023

This branch is based on branch full_ext_script_3.2 (PR #85). It includes:

  • a new pgsodium.debug GUC
  • refactoring how encryption triggers and decryption views are generated
  • implement encryption triggers in C
  • revoke privs from public on generated decryption views.

ioguix added 16 commits June 9, 2023 11:50
@ioguix
Set version 3.2.0
420c071
@ioguix
Remove useless pgsodium.create_mask_view(oid,boolean)
fec4f1c
@ioguix
Remove useless pgsodium.mask_columns(oid)
d072843
@ioguix
Remove useless schema pgsodium_masks
e382105
@ioguix
Add 3.2.0 full script
b56d914
@ioguix
Rename constraint name to match the one from 3.2.0 full script
990c48e
@ioguix
Add missing column user_data to the decrypted_key view
df73592
@ioguix
Fix privileges on key and decrypted_keys
6ea0ad2
@ioguix
Revoke default permission on pgsodium from pgsodium_keyholder
aad3d33
@ioguix
Makes Dockerfile less chatty
e702c98
@ioguix
Test both full script and incremental script
eba5786
@ioguix
Avoid rebuilding the docker image when possible
b5da330
@ioguix
Introduce pgsodium.debug GUC
389c131
@ioguix
Split trigger and view creation in different functions
458394d 
Before this commit, triggers and views were all recreated each
time a matching event trigger was exectued.

Now, create_mask_view(...) only create or replace the old view
on top of a table with some encrypted fields. It doesn't
drop/create encryption trigger anymore.

The previous code generating encryption triggers has been moved
to a new dedicated function called create_mask_colum(...).

The event trigger used to call update_masks() which was rebuilding
all the view and all the triggers. thanks of the split of
create_mask_view() and create_mask_colum(), it can now calls
either of these function based on the object type of the event.
@ioguix
Implement generic encryption trigger in C
04e18df 
This commit creates C trigger functions
"trg_encrypt_using_key_col()" and "trg_encrypt_using_key_id()"
able to encrypt any column in any table no matter the name or
position of the column.

That means we now pass to the trigger the column name we need
to encrypt and other infos about the encryption key, additional
data, nonce, etc.

In consequence, we now use the same two functions for all our
encryption triggers. This avoids the generation of a dedicated
plpgsql trigger for each column we need to encrypt.

Creating generic triggers for any table/column is not possible in
plpgsql because you can not reference a record's field using a
variable. Plpgsql is not able to dereference a column inside the
"new" record.
@ioguix
Revoke all privilege from public on decrypting views
73acc11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ioguix