feat: multiple versions for the vault extension

Build multiple versions of the vault extension on different PostgreSQL versions.
Add test for the extensions and their upgrade on PostgreSQL 15 and 17.

Author: jfroche

nix/ext/tests/default.nix

@@ -69,12 +69,20 @@ let
             enable = true;
             package = psql_15;
             enableTCPIP = true;
-            initialScript = pkgs.writeText "init-postgres-with-password" ''
-              CREATE USER test WITH PASSWORD 'secret';
-            '';
             authentication = ''
-              host test postgres samenet scram-sha-256
+              local all postgres peer map=postgres
+              local all all peer map=root
+            '';
+            identMap = ''
+              root root supabase_admin
+              postgres postgres postgres
             '';
+            ensureUsers = [
+              {
+                name = "supabase_admin";
+                ensureClauses.superuser = true;
+              }
+            ];
             settings = (installedExtension "15").defaultSettings or { };
           };
 

nix/ext/tests/lib.py

@@ -38,12 +38,12 @@ def __init__(
 
     def run_sql(self, query: str) -> str:
         return self.vm.succeed(
-            f"""sudo -u postgres psql -t -A -F\",\" -c \"{query}\" """
+            f"""psql -U supabase_admin -d postgres -t -A -F\",\" -c \"{query}\" """
         ).strip()
 
     def run_sql_file(self, file: str) -> str:
         return self.vm.succeed(
-            f"""sudo -u postgres psql -v ON_ERROR_STOP=1 -f \"{file}\""""
+            f"""psql -U supabase_admin -d postgres -v ON_ERROR_STOP=1 -f \"{file}\""""
         ).strip()
 
     def drop_extension(self):

nix/ext/tests/pgmq.nix

@@ -47,6 +47,20 @@ self.inputs.nixpkgs.lib.nixos.runTest {
       services.postgresql = {
         enable = true;
         package = (postgresqlWithExtension psql_15);
+        authentication = ''
+          local all postgres peer map=postgres
+          local all all peer map=root
+        '';
+        identMap = ''
+          root root supabase_admin
+          postgres postgres postgres
+        '';
+        ensureUsers = [
+          {
+            name = "supabase_admin";
+            ensureClauses.superuser = true;
+          }
+        ];
         settings = (installedExtension "15").defaultSettings or { };
       };
 

nix/ext/tests/timescaledb.nix

@@ -46,6 +46,22 @@ self.inputs.nixpkgs.lib.nixos.runTest {
       services.postgresql = {
         enable = true;
         package = (postgresqlWithExtension psql_15);
+        authentication = ''
+          local all postgres peer map=postgres
+          local all all peer map=root
+        '';
+        identMap = ''
+          root root supabase_admin
+          postgres postgres postgres
+        '';
+        ensureUsers = [
+          {
+            name = "supabase_admin";
+            ensureClauses.superuser = true;
+          }
+          { name = "service_role"; }
+        ];
+
         settings = {
           shared_preload_libraries = "timescaledb";
         };

nix/ext/tests/vault.nix

@@ -0,0 +1,200 @@
+{ self, pkgs }:
+let
+  pname = "supabase_vault";
+  inherit (pkgs) lib;
+  installedExtension =
+    postgresMajorVersion: self.packages.${pkgs.system}."psql_${postgresMajorVersion}/exts/${pname}-all";
+  versions = postgresqlMajorVersion: (installedExtension postgresqlMajorVersion).versions;
+  postgresqlWithExtension =
+    postgresql:
+    let
+      majorVersion = lib.versions.major postgresql.version;
+      pkg = pkgs.buildEnv {
+        name = "postgresql-${majorVersion}-${pname}";
+        paths = [
+          postgresql
+          postgresql.lib
+          (installedExtension majorVersion)
+          self.packages.${pkgs.system}."psql_${majorVersion}/exts/pgsodium-all" # dependency
+        ];
+        passthru = {
+          inherit (postgresql) version psqlSchema;
+          lib = pkg;
+          withPackages = _: pkg;
+        };
+        nativeBuildInputs = [ pkgs.makeWrapper ];
+        pathsToLink = [
+          "/"
+          "/bin"
+          "/lib"
+        ];
+        postBuild = ''
+          wrapProgram $out/bin/postgres --set NIX_PGLIBDIR $out/lib
+          wrapProgram $out/bin/pg_ctl --set NIX_PGLIBDIR $out/lib
+          wrapProgram $out/bin/pg_upgrade --set NIX_PGLIBDIR $out/lib
+        '';
+      };
+    in
+    pkg;
+  vaultGetKey = lib.getExe (
+    pkgs.writeShellScriptBin "vault-getkey" ''
+      echo 0000000000000000000000000000000000000000000000000000000000000000
+    ''
+  );
+  psql_15 = postgresqlWithExtension self.packages.${pkgs.system}.postgresql_15;
+  psql_17 = postgresqlWithExtension self.packages.${pkgs.system}.postgresql_17;
+in
+self.inputs.nixpkgs.lib.nixos.runTest {
+  name = pname;
+  hostPkgs = pkgs;
+  nodes.server =
+    { config, ... }:
+    {
+      virtualisation = {
+        forwardPorts = [
+          {
+            from = "host";
+            host.port = 13022;
+            guest.port = 22;
+          }
+        ];
+      };
+
+      services.postgresql = {
+        enable = true;
+        package = psql_15;
+        authentication = ''
+          local all postgres peer map=postgres
+          local all all peer map=root
+        '';
+        identMap = ''
+          root root supabase_admin
+          postgres postgres postgres
+        '';
+        initialScript = pkgs.writeText "vault-init.sql" ''
+          CREATE SCHEMA vault;
+        '';
+        ensureUsers = [
+          {
+            name = "supabase_admin";
+            ensureClauses.superuser = true;
+          }
+          { name = "service_role"; }
+        ];
+        settings = {
+          "shared_preload_libraries" = "${pname},pgsodium";
+          "pgsodium.getkey_script" = vaultGetKey;
+          "vault.getkey_script" = vaultGetKey;
+        };
+      };
+
+      specialisation.postgresql17.configuration = {
+        services.postgresql = {
+          package = lib.mkForce psql_17;
+        };
+
+        systemd.services.postgresql-migrate = {
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+            User = "postgres";
+            Group = "postgres";
+            StateDirectory = "postgresql";
+            WorkingDirectory = "${builtins.dirOf config.services.postgresql.dataDir}";
+          };
+          script =
+            let
+              oldPostgresql = psql_15;
+              newPostgresql = psql_17;
+              oldDataDir = "${builtins.dirOf config.services.postgresql.dataDir}/${oldPostgresql.psqlSchema}";
+              newDataDir = "${builtins.dirOf config.services.postgresql.dataDir}/${newPostgresql.psqlSchema}";
+            in
+            ''
+              if [[ ! -d ${newDataDir} ]]; then
+                install -d -m 0700 -o postgres -g postgres "${newDataDir}"
+                ${newPostgresql}/bin/initdb -D "${newDataDir}"
+                echo "shared_preload_libraries = '${pname},pgsodium'" >> "${newDataDir}/postgresql.conf"
+                echo "vault.getkey_script = '${vaultGetKey}'" >> "${newDataDir}/postgresql.conf";
+                echo "pgsodium.getkey_script = '${vaultGetKey}'" >> "${newDataDir}/postgresql.conf";
+                ${newPostgresql}/bin/pg_upgrade --old-datadir "${oldDataDir}" --new-datadir "${newDataDir}" \
+                  --old-bindir "${oldPostgresql}/bin" --new-bindir "${newPostgresql}/bin"
+              else
+                echo "${newDataDir} already exists"
+              fi
+            '';
+        };
+
+        systemd.services.postgresql = {
+          after = [ "postgresql-migrate.service" ];
+          requires = [ "postgresql-migrate.service" ];
+        };
+      };
+    };
+  testScript =
+    { nodes, ... }:
+    let
+      pg17-configuration = "${nodes.server.system.build.toplevel}/specialisation/postgresql17";
+    in
+    ''
+      from pathlib import Path
+      versions = {
+        "15": [${lib.concatStringsSep ", " (map (s: ''"${s}"'') (versions "15"))}],
+        "17": [${lib.concatStringsSep ", " (map (s: ''"${s}"'') (versions "17"))}],
+      }
+      extension_name = "${pname}"
+      support_upgrade = True
+      pg17_configuration = "${pg17-configuration}"
+      ext_has_background_worker = ${
+        if (installedExtension "15") ? hasBackgroundWorker then "True" else "False"
+      }
+      sql_test_directory = Path("${../../tests}")
+      pg_regress_test_name = "${(installedExtension "15").pgRegressTestName or pname}"
+
+      ${builtins.readFile ./lib.py}
+
+      start_all()
+
+      server.wait_for_unit("multi-user.target")
+      server.wait_for_unit("postgresql.service")
+
+      test = PostgresExtensionTest(server, extension_name, versions, sql_test_directory, support_upgrade)
+
+
+      with subtest("Check upgrade path with postgresql 15"):
+        test.check_upgrade_path("15")
+
+      with subtest("Check pg_regress with postgresql 15 after extension upgrade"):
+        test.run_sql_file("${../../../ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql}")
+        test.check_pg_regress(Path("${psql_15}/lib/pgxs/src/test/regress/pg_regress"), "15", pg_regress_test_name)
+
+      last_version = None
+      with subtest("Check the install of the last version of the extension"):
+        last_version = test.check_install_last_version("15")
+
+      with subtest("Check pg_regress with postgresql 15 after installing the last version"):
+        test.run_sql_file("${../../../ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql}")
+        test.check_pg_regress(Path("${psql_15}/lib/pgxs/src/test/regress/pg_regress"), "15", pg_regress_test_name)
+
+      with subtest("switch to postgresql 17"):
+        server.succeed(
+          f"{pg17_configuration}/bin/switch-to-configuration test >&2"
+        )
+
+      with subtest("Check last version of the extension after postgresql upgrade"):
+        test.assert_version_matches(last_version)
+
+      with subtest("Check upgrade path with postgresql 17"):
+        test.check_upgrade_path("17")
+
+      with subtest("Check pg_regress with postgresql 17 after extension upgrade"):
+        test.run_sql_file("${../../../ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql}")
+        test.check_pg_regress(Path("${psql_17}/lib/pgxs/src/test/regress/pg_regress"), "17", pg_regress_test_name)
+
+      with subtest("Check the install of the last version of the extension"):
+        test.check_install_last_version("17")
+
+      with subtest("Check pg_regress with postgresql 17 after installing the last version"):
+        test.run_sql_file("${../../../ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql}")
+        test.check_pg_regress(Path("${psql_17}/lib/pgxs/src/test/regress/pg_regress"), "17", pg_regress_test_name)
+    '';
+}