fix: pgsodium after-create script

soedirgo · soedirgo · commit 873e63b8f5ad · 2025-01-14T20:47:15.000+08:00
diff --git a/ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql b/ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql
@@ -1,3 +1,36 @@
+do $$
+declare
+  _extversion text := @extversion@;
+  _r record;
+begin
+  if _extversion is not null and _extversion != '3.1.8' then
+    raise exception 'only pgsodium 3.1.8 is supported';
+  end if;
+end $$;
+
 grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, bytea) to service_role;
 grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role;
 grant execute on function pgsodium.crypto_aead_det_keygen to service_role;
+
+CREATE OR REPLACE FUNCTION pgsodium.mask_role(masked_role regrole, source_name text, view_name text)
+RETURNS void
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path TO ''
+AS $function$
+BEGIN
+  EXECUTE format(
+    'GRANT SELECT ON pgsodium.key TO %s',
+    masked_role);
+
+  EXECUTE format(
+    'GRANT pgsodium_keyiduser, pgsodium_keyholder TO %s',
+    masked_role);
+
+  EXECUTE format(
+    'GRANT ALL ON %I TO %s',
+    view_name,
+    masked_role);
+  RETURN;
+END
+$function$;
