hashicorp · bgajjala8 · Oct 9, 2025 · Oct 7, 2025
@@ -115,4 +115,98 @@ begin;
 
   create index credential_static_password_credential_deleted_delete_time_idx on credential_static_password_credential_deleted (delete_time);
 
+  create view credential_static_password_credential_hst_aggregate as
+    select
+      rsc.recording_id,
+      spc.public_id,
+      spc.name,
+      spc.description,
+      spc.password_hmac,
+      css.public_id as store_public_id,
+      css.project_id as store_project_id,
+      css.name as store_name,
+      css.description as store_description,
+      string_agg(distinct rsc.credential_purpose, '|') as purposes
+    from
+      credential_static_password_credential_hst as spc
+        left join recording_static_credential as rsc on spc.history_id = rsc.credential_static_hst_id
+        join credential_static_store_hst as css on rsc.credential_static_store_hst_id = css.history_id
+    group by spc.history_id, rsc.recording_id, css.history_id;
+  comment on view credential_static_password_credential_hst_aggregate is
+    'credential_static_password_credential_hst_aggregate contains the password credential history data along with its store and purpose data.';
+
+    -- This constraint replaces the previous constraint created in 98/01_credential_static_username_password_domain_credential.up.sql
+  alter table credential_type_enm
+    drop constraint only_predefined_credential_types_allowed;
+
+  alter table credential_type_enm
+    add constraint only_predefined_credential_types_allowed
+      check (
+        name in (
+          'unspecified',
+          'username_password',
+          'ssh_private_key',
+          'ssh_certificate',
+          'username_password_domain',
+          'password'
+        )
+      );
+
+  insert into credential_type_enm (name)
+    values ('password');
+
+  -- This function replaces the previous function created in 98/01_credential_static_username_password_domain_credential.up.sql
+  create or replace function insert_recording_static_credentials() returns trigger
+    as $$
+    begin
+      with
+      session_recording(session_id, recording_id) as (
+        select session_id, public_id
+          from recording_session
+        where session_id = new.session_id
+      ),
+      session_static_creds(cred_id, purpose, recording_id) as (
+        select credential_static_id, credential_purpose, recording_id
+          from session_credential_static
+        join session_recording using (session_id)
+      ),
+      static_cred_history(public_id, store_id, cred_hst_id, valid_range) as (
+        select public_id, store_id, history_id, valid_range
+          from credential_static_json_credential_hst
+        union
+        select public_id, store_id, history_id, valid_range
+          from credential_static_ssh_private_key_credential_hst
+        union
+        select public_id, store_id, history_id, valid_range
+          from credential_static_username_password_credential_hst
+        union
+        select public_id, store_id, history_id, valid_range
+          from credential_static_username_password_domain_credential_hst
+        union
+        select public_id, store_id, history_id, valid_range
+          from credential_static_password_credential_hst
+      ),
+      final(recording_id, cred_id, store_id, cred_hst_id, store_hst_id, cred_purpose) as (
+        select ssc.recording_id, sc.public_id, sc.store_id, sc.cred_hst_id, store_hst.history_id, ssc.purpose
+          from static_cred_history as sc
+          join credential_static_store_hst as store_hst on sc.store_id = store_hst.public_id
+            and store_hst.valid_range @> current_timestamp
+          join session_static_creds as ssc on sc.public_id = ssc.cred_id
+          where sc.public_id in (select cred_id from session_static_creds)
+            and sc.valid_range @> current_timestamp
+      )
+      insert into recording_static_credential
+            (recording_id, credential_static_store_hst_id, credential_static_hst_id, credential_purpose)
+      select recording_id, store_hst_id, cred_hst_id, cred_purpose
+        from final;
+
+      return new;
+    end;
+    $$ language plpgsql;
+
+  comment on function insert_recording_static_credentials is
+    'insert_recording_static_credentials is an after insert trigger for the recording_session table.';
+
+  insert into oplog_ticket (name, version)
+    values ('credential_static_password_credential', 1);
 commit;