mirror of https://github.com/hashicorp/boundary
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
266 lines
13 KiB
266 lines
13 KiB
-- Copyright IBM Corp. 2020, 2026
|
|
-- SPDX-License-Identifier: BUSL-1.1
|
|
|
|
begin;
|
|
|
|
-- dropping these foreign keys because they were never needed
|
|
alter table credential_static_store drop constraint iam_scope_fkey;
|
|
alter table credential_vault_store drop constraint iam_scope_fkey;
|
|
|
|
alter table credential_store rename column scope_id to project_id;
|
|
alter table credential_store rename constraint credential_store_scope_id_public_id_uq to credential_store_project_id_public_id_uq;
|
|
drop trigger immutable_columns on credential_store;
|
|
create trigger immutable_columns before update on credential_store
|
|
for each row execute function immutable_columns('public_id', 'project_id');
|
|
|
|
-- insert_credential_store_subtype() is a before insert trigger
|
|
-- function for subtypes of credential_store.
|
|
-- Replaces the insert_credential_store_subtype function defined in 10/03_credential.up.sql
|
|
-- Replaced in 81/05_credential_store_base_table_updates.up.sql
|
|
create or replace function insert_credential_store_subtype() returns trigger
|
|
as $$
|
|
begin
|
|
insert into credential_store
|
|
(public_id, project_id)
|
|
values
|
|
(new.public_id, new.project_id);
|
|
return new;
|
|
end;
|
|
$$ language plpgsql;
|
|
comment on function insert_credential_store_subtype() is
|
|
'insert_credential_store_subtype() is a before insert trigger function that should be added to all credential_store subtype tables.';
|
|
|
|
alter table credential_vault_store rename column scope_id to project_id;
|
|
alter table credential_vault_store rename constraint credential_vault_store_scope_id_name_uq to credential_vault_store_project_id_name_uq;
|
|
drop trigger immutable_columns on credential_vault_store;
|
|
create trigger immutable_columns before update on credential_vault_store
|
|
for each row execute function immutable_columns('public_id', 'project_id', 'create_time');
|
|
|
|
alter table credential_static_store rename column scope_id to project_id;
|
|
alter table credential_static_store rename constraint credential_static_store_scope_id_name_uq to credential_static_store_project_id_name_uq;
|
|
drop trigger immutable_columns on credential_static_store;
|
|
create trigger immutable_columns before update on credential_static_store
|
|
for each row execute function immutable_columns('public_id', 'project_id', 'create_time');
|
|
|
|
-- update views
|
|
drop view credential_vault_store_public;
|
|
drop view credential_vault_library_public;
|
|
drop view credential_vault_library_private;
|
|
drop view credential_vault_store_private;
|
|
drop view credential_vault_credential_private;
|
|
|
|
-- Replaced in 49/01_vault_credentials.up.sql
|
|
create view credential_vault_store_private as
|
|
with
|
|
active_tokens as (
|
|
select token_hmac,
|
|
token, -- encrypted
|
|
store_id,
|
|
create_time,
|
|
update_time,
|
|
last_renewal_time,
|
|
expiration_time,
|
|
-- renewal time is the midpoint between the last renewal time and the expiration time
|
|
last_renewal_time + (expiration_time - last_renewal_time) / 2 as renewal_time,
|
|
key_id,
|
|
status
|
|
from credential_vault_token
|
|
where status in ('current', 'maintaining', 'revoke')
|
|
)
|
|
select store.public_id as public_id,
|
|
store.project_id as project_id,
|
|
store.name as name,
|
|
store.description as description,
|
|
store.create_time as create_time,
|
|
store.update_time as update_time,
|
|
store.delete_time as delete_time,
|
|
store.version as version,
|
|
store.vault_address as vault_address,
|
|
store.namespace as namespace,
|
|
store.ca_cert as ca_cert,
|
|
store.tls_server_name as tls_server_name,
|
|
store.tls_skip_verify as tls_skip_verify,
|
|
store.public_id as store_id,
|
|
store.worker_filter as worker_filter,
|
|
token.token_hmac as token_hmac,
|
|
token.token as ct_token, -- encrypted
|
|
token.create_time as token_create_time,
|
|
token.update_time as token_update_time,
|
|
token.last_renewal_time as token_last_renewal_time,
|
|
token.expiration_time as token_expiration_time,
|
|
token.renewal_time as token_renewal_time,
|
|
token.key_id as token_key_id,
|
|
token.status as token_status,
|
|
cert.certificate as client_cert,
|
|
cert.certificate_key as ct_client_key, -- encrypted
|
|
cert.certificate_key_hmac as client_cert_key_hmac,
|
|
cert.key_id as client_key_id
|
|
from credential_vault_store store
|
|
left join active_tokens token
|
|
on store.public_id = token.store_id
|
|
left join credential_vault_client_certificate cert
|
|
on store.public_id = cert.store_id;
|
|
comment on view credential_vault_store_private is
|
|
'credential_vault_store_private is a view where each row contains a credential store and the credential store''s data needed to connect to Vault. '
|
|
'The view returns a separate row for each current, maintaining and revoke token; maintaining tokens should only be used for token/credential renewal and revocation. '
|
|
'Each row may contain encrypted data. This view should not be used to retrieve data which will be returned external to boundary.';
|
|
|
|
-- Replaced in 49/01_vault_credentials.up.sql
|
|
create view credential_vault_store_public as
|
|
select public_id,
|
|
project_id,
|
|
name,
|
|
description,
|
|
create_time,
|
|
update_time,
|
|
version,
|
|
vault_address,
|
|
namespace,
|
|
ca_cert,
|
|
tls_server_name,
|
|
tls_skip_verify,
|
|
worker_filter,
|
|
token_hmac,
|
|
token_create_time,
|
|
token_update_time,
|
|
token_last_renewal_time,
|
|
token_expiration_time,
|
|
client_cert,
|
|
client_cert_key_hmac
|
|
from credential_vault_store_private
|
|
where token_status = 'current'
|
|
and delete_time is null;
|
|
comment on view credential_vault_store_public is
|
|
'credential_vault_store_public is a view where each row contains a credential store. '
|
|
'No encrypted data is returned. This view can be used to retrieve data which will be returned external to boundary.';
|
|
|
|
-- Replaced in 49/01_vault_credentials.up.sql
|
|
create view credential_vault_library_private as
|
|
with
|
|
password_override (library_id, username_attribute, password_attribute) as (
|
|
select library_id,
|
|
nullif(username_attribute, wt_to_sentinel('no override')),
|
|
nullif(password_attribute, wt_to_sentinel('no override'))
|
|
from credential_vault_library_username_password_mapping_override
|
|
),
|
|
ssh_private_key_override (library_id, username_attribute, private_key_attribute, private_key_passphrase_attribute) as (
|
|
select library_id,
|
|
nullif(username_attribute, wt_to_sentinel('no override')),
|
|
nullif(private_key_attribute, wt_to_sentinel('no override')),
|
|
nullif(private_key_passphrase_attribute, wt_to_sentinel('no override'))
|
|
from credential_vault_library_ssh_private_key_mapping_override
|
|
)
|
|
select library.public_id as public_id,
|
|
library.store_id as store_id,
|
|
library.name as name,
|
|
library.description as description,
|
|
library.create_time as create_time,
|
|
library.update_time as update_time,
|
|
library.version as version,
|
|
library.vault_path as vault_path,
|
|
library.http_method as http_method,
|
|
library.http_request_body as http_request_body,
|
|
library.credential_type as credential_type,
|
|
store.project_id as project_id,
|
|
store.vault_address as vault_address,
|
|
store.namespace as namespace,
|
|
store.ca_cert as ca_cert,
|
|
store.tls_server_name as tls_server_name,
|
|
store.tls_skip_verify as tls_skip_verify,
|
|
store.worker_filter as worker_filter,
|
|
store.token_hmac as token_hmac,
|
|
store.ct_token as ct_token, -- encrypted
|
|
store.token_key_id as token_key_id,
|
|
store.client_cert as client_cert,
|
|
store.ct_client_key as ct_client_key, -- encrypted
|
|
store.client_key_id as client_key_id,
|
|
coalesce(upasso.username_attribute,sshpk.username_attribute)
|
|
as username_attribute,
|
|
upasso.password_attribute as password_attribute,
|
|
sshpk.private_key_attribute as private_key_attribute,
|
|
sshpk.private_key_passphrase_attribute as private_key_passphrase_attribute
|
|
from credential_vault_library library
|
|
join credential_vault_store_private store
|
|
on library.store_id = store.public_id
|
|
left join password_override upasso
|
|
on library.public_id = upasso.library_id
|
|
and store.token_status = 'current'
|
|
left join ssh_private_key_override sshpk
|
|
on library.public_id = sshpk.library_id
|
|
and store.token_status = 'current';
|
|
comment on view credential_vault_library_private is
|
|
'credential_vault_library_private is a view where each row contains a credential library and the credential library''s data needed to connect to Vault. '
|
|
'Each row may contain encrypted data. This view should not be used to retrieve data which will be returned external to boundary.';
|
|
|
|
-- Replaced in 49/01_vault_credentials.up.sql
|
|
create view credential_vault_library_public as
|
|
select public_id,
|
|
store_id,
|
|
name,
|
|
description,
|
|
create_time,
|
|
update_time,
|
|
version,
|
|
vault_path,
|
|
http_method,
|
|
http_request_body,
|
|
credential_type,
|
|
worker_filter,
|
|
username_attribute,
|
|
password_attribute,
|
|
private_key_attribute,
|
|
private_key_passphrase_attribute
|
|
from credential_vault_library_private;
|
|
comment on view credential_vault_library_public is
|
|
'credential_vault_library_public is a view where each row contains a credential library and any of library''s credential mapping overrides. '
|
|
'No encrypted data is returned. This view can be used to retrieve data which will be returned external to boundary.';
|
|
|
|
-- Replaces view from 41/01_worker_filter_vault_cred_store.up.sql
|
|
-- Recreated in 56/02_add_data_key_foreign_key_references.up.sql
|
|
create view credential_vault_credential_private as
|
|
select credential.public_id as public_id,
|
|
credential.library_id as library_id,
|
|
credential.session_id as session_id,
|
|
credential.create_time as create_time,
|
|
credential.update_time as update_time,
|
|
credential.version as version,
|
|
credential.external_id as external_id,
|
|
credential.last_renewal_time as last_renewal_time,
|
|
credential.expiration_time as expiration_time,
|
|
credential.is_renewable as is_renewable,
|
|
credential.status as status,
|
|
credential.last_renewal_time + (credential.expiration_time - credential.last_renewal_time) / 2 as renewal_time,
|
|
token.token_hmac as token_hmac,
|
|
token.token as ct_token, -- encrypted
|
|
token.create_time as token_create_time,
|
|
token.update_time as token_update_time,
|
|
token.last_renewal_time as token_last_renewal_time,
|
|
token.expiration_time as token_expiration_time,
|
|
token.key_id as token_key_id,
|
|
token.status as token_status,
|
|
store.project_id as project_id,
|
|
store.vault_address as vault_address,
|
|
store.namespace as namespace,
|
|
store.ca_cert as ca_cert,
|
|
store.tls_server_name as tls_server_name,
|
|
store.tls_skip_verify as tls_skip_verify,
|
|
store.worker_filter as worker_filter,
|
|
cert.certificate as client_cert,
|
|
cert.certificate_key as ct_client_key, -- encrypted
|
|
cert.certificate_key_hmac as client_cert_key_hmac,
|
|
cert.key_id as client_key_id
|
|
from credential_vault_credential credential
|
|
join credential_vault_token token
|
|
on credential.token_hmac = token.token_hmac
|
|
join credential_vault_store store
|
|
on token.store_id = store.public_id
|
|
left join credential_vault_client_certificate cert
|
|
on store.public_id = cert.store_id
|
|
where credential.expiration_time != 'infinity'::date;
|
|
comment on view credential_vault_credential_private is
|
|
'credential_vault_credential_private is a view where each row contains a credential, '
|
|
'the vault token used to issue the credential, and the credential store data needed to connect to Vault. '
|
|
'Each row may contain encrypted data. This view should not be used to retrieve data which will be returned external to boundary.';
|
|
|
|
commit;
|