fix: grant Vault privs to service_role (#1539)

* fix: grant Vault privs to service_role

* adjust tests according to the fix

* chore: bump versions

* fix: missing Vault privileges for postgres

* fix: also privs in the migration

* test: schema snapshots changed

Trailing whitespace were somehow added in
#1562; probably different
handling between dbmate and pg_dump

---------

Co-authored-by: steve-chavez <[email protected]>

Author: soedirgo

ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql

@@ -1,3 +1,8 @@
 grant usage on schema vault to postgres with grant option;
-grant select, delete on vault.secrets, vault.decrypted_secrets to postgres with grant option;
+grant select, delete, truncate, references on vault.secrets, vault.decrypted_secrets to postgres with grant option;
 grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to postgres with grant option;
+
+-- service_role used to be able to manage secrets in Vault <=0.2.8 because it had privileges to pgsodium functions
+grant usage on schema vault to service_role;
+grant select, delete on vault.secrets, vault.decrypted_secrets to service_role;
+grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to service_role;

ansible/vars.yml

@@ -9,9 +9,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.0.1.069-orioledb"
-  postgres17: "17.4.1.019"
-  postgres15: "15.8.1.076"
+  postgresorioledb-17: "17.0.1.070-orioledb"
+  postgres17: "17.4.1.020"
+  postgres15: "15.8.1.077"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"

migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql

@@ -10,9 +10,12 @@ BEGIN
 
     -- for some reason extension custom scripts aren't run during AMI build, so
     -- we manually run it here
-    GRANT USAGE ON SCHEMA vault TO postgres WITH GRANT OPTION;
-    GRANT SELECT, DELETE ON vault.secrets, vault.decrypted_secrets TO postgres WITH GRANT OPTION;
-    GRANT EXECUTE ON FUNCTION vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt TO postgres WITH GRANT OPTION;
+    grant usage on schema vault to postgres with grant option;
+    grant select, delete, truncate, references on vault.secrets, vault.decrypted_secrets to postgres with grant option;
+    grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to postgres with grant option;
+    grant usage on schema vault to service_role;
+    grant select, delete on vault.secrets, vault.decrypted_secrets to service_role;
+    grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to service_role;
   ELSE
     pgsodium_exists = (
       select count(*) = 1 

nix/tests/expected/roles.out

@@ -575,6 +575,7 @@ order by schema_order, schema_name, privilege_type, grantee, default_for;
  topology           | USAGE          | supabase_admin           | supabase_admin
  vault              | CREATE         | supabase_admin           | supabase_admin
  vault              | USAGE          | postgres                 | supabase_admin
+ vault              | USAGE          | service_role             | supabase_admin
  vault              | USAGE          | supabase_admin           | supabase_admin
-(390 rows)
+(391 rows)
 

nix/tests/expected/vault.out

@@ -28,13 +28,19 @@ ORDER BY object_name, grantee, privilege_type;
  schema |        object_name        |    grantee     | privilege_type 
 --------+---------------------------+----------------+----------------
  vault  | _crypto_aead_det_decrypt  | postgres       | EXECUTE
+ vault  | _crypto_aead_det_decrypt  | service_role   | EXECUTE
  vault  | _crypto_aead_det_decrypt  | supabase_admin | EXECUTE
  vault  | _crypto_aead_det_encrypt  | supabase_admin | EXECUTE
  vault  | _crypto_aead_det_noncegen | supabase_admin | EXECUTE
  vault  | create_secret             | postgres       | EXECUTE
+ vault  | create_secret             | service_role   | EXECUTE
  vault  | create_secret             | supabase_admin | EXECUTE
  vault  | decrypted_secrets         | postgres       | DELETE
+ vault  | decrypted_secrets         | postgres       | REFERENCES
  vault  | decrypted_secrets         | postgres       | SELECT
+ vault  | decrypted_secrets         | postgres       | TRUNCATE
+ vault  | decrypted_secrets         | service_role   | DELETE
+ vault  | decrypted_secrets         | service_role   | SELECT
  vault  | decrypted_secrets         | supabase_admin | DELETE
  vault  | decrypted_secrets         | supabase_admin | INSERT
  vault  | decrypted_secrets         | supabase_admin | REFERENCES
@@ -43,7 +49,11 @@ ORDER BY object_name, grantee, privilege_type;
  vault  | decrypted_secrets         | supabase_admin | TRUNCATE
  vault  | decrypted_secrets         | supabase_admin | UPDATE
  vault  | secrets                   | postgres       | DELETE
+ vault  | secrets                   | postgres       | REFERENCES
  vault  | secrets                   | postgres       | SELECT
+ vault  | secrets                   | postgres       | TRUNCATE
+ vault  | secrets                   | service_role   | DELETE
+ vault  | secrets                   | service_role   | SELECT
  vault  | secrets                   | supabase_admin | DELETE
  vault  | secrets                   | supabase_admin | INSERT
  vault  | secrets                   | supabase_admin | REFERENCES
@@ -52,8 +62,9 @@ ORDER BY object_name, grantee, privilege_type;
  vault  | secrets                   | supabase_admin | TRUNCATE
  vault  | secrets                   | supabase_admin | UPDATE
  vault  | update_secret             | postgres       | EXECUTE
+ vault  | update_secret             | service_role   | EXECUTE
  vault  | update_secret             | supabase_admin | EXECUTE
-(26 rows)
+(37 rows)
 
 -- vault indexes with owners
 SELECT