PG-1419 Validate key provider access

AndersAstrand · AndersAstrand · commit caea669ffc84 · 2025-04-16T18:00:47.000+02:00
This adds some validation to make sure we can access the key provider
when it's created to make the user experience a little nicer. The actual
access validation is very rudimentary for now but can easily be
expanded.
diff --git a/contrib/pg_tde/expected/key_provider.out b/contrib/pg_tde/expected/key_provider.out
@@ -162,4 +162,7 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
 ----+---------------
 (0 rows)
 
+-- Creating a file key provider fails if we can't open or create the file
+SELECT pg_tde_add_database_key_provider_file('will-not-work','/cant-create-file-in-root.per');
+ERROR:  Failed to open keyring file /cant-create-file-in-root.per :Permission denied
 DROP EXTENSION pg_tde;
diff --git a/contrib/pg_tde/expected/key_provider_1.out b/contrib/pg_tde/expected/key_provider_1.out
@@ -166,4 +166,7 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
  -1 | reg_file-global
 (1 row)
 
+-- Creating a file key provider fails if we can't open or create the file
+SELECT pg_tde_add_database_key_provider_file('will-not-work','/cant-create-file-in-root.per');
+ERROR:  Failed to open keyring file /cant-create-file-in-root.per :Permission denied
 DROP EXTENSION pg_tde;
diff --git a/contrib/pg_tde/expected/kmip_test.out b/contrib/pg_tde/expected/kmip_test.out
@@ -34,4 +34,7 @@ SELECT pg_tde_verify_key();
 (1 row)
 
 DROP TABLE test_enc;
+-- Creating provider fails if we can't connect to kmip server
+SELECT pg_tde_add_database_key_provider_kmip('will-not-work','127.0.0.1', 61, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem');
+ERROR:  SSL error: BIO_do_connect failed
 DROP EXTENSION pg_tde;
diff --git a/contrib/pg_tde/expected/vault_v2_test.out b/contrib/pg_tde/expected/vault_v2_test.out
@@ -51,4 +51,7 @@ SELECT pg_tde_verify_key();
 (1 row)
 
 DROP TABLE test_enc;
+-- Creating provider fails if we can't connect to vault
+SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token', 'http://127.0.0.1:61', 'secret', NULL);
+ERROR:  HTTP(S) request to keyring provider "will-not-work" failed
 DROP EXTENSION pg_tde;
diff --git a/contrib/pg_tde/sql/key_provider.sql b/contrib/pg_tde/sql/key_provider.sql
@@ -52,4 +52,7 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
 SELECT pg_tde_delete_global_key_provider('file-keyring2');
 SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
 
+-- Creating a file key provider fails if we can't open or create the file
+SELECT pg_tde_add_database_key_provider_file('will-not-work','/cant-create-file-in-root.per');
+
 DROP EXTENSION pg_tde;
diff --git a/contrib/pg_tde/sql/kmip_test.sql b/contrib/pg_tde/sql/kmip_test.sql
@@ -19,4 +19,7 @@ SELECT pg_tde_verify_key();
 
 DROP TABLE test_enc;
 
+-- Creating provider fails if we can't connect to kmip server
+SELECT pg_tde_add_database_key_provider_kmip('will-not-work','127.0.0.1', 61, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem');
+
 DROP EXTENSION pg_tde;
diff --git a/contrib/pg_tde/sql/vault_v2_test.sql b/contrib/pg_tde/sql/vault_v2_test.sql
@@ -31,4 +31,7 @@ SELECT pg_tde_verify_key();
 
 DROP TABLE test_enc;
 
+-- Creating provider fails if we can't connect to vault
+SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token', 'http://127.0.0.1:61', 'secret', NULL);
+
 DROP EXTENSION pg_tde;
diff --git a/contrib/pg_tde/src/catalog/tde_keyring.c b/contrib/pg_tde/src/catalog/tde_keyring.c
@@ -473,6 +473,8 @@ check_provider_record(KeyringProviderRecord *provider_record)
 				errmsg("Invalid provider options."));
 	}
 
+	KeyringValidate(provider);
+
 	pfree(provider);
 }
 
@@ -562,9 +564,9 @@ save_new_key_provider_info(KeyringProviderRecord *provider, Oid databaseId, bool
 	close(fd);
 
 	/*
-	 * TODO: Should we use overflow aware integer math here? (and then also not
-	 * blindly do abs() on something that might be INT_MIN above). It would be
-	 * overkill to do that, wouldn't it?
+	 * TODO: Should we use overflow aware integer math here? (and then also
+	 * not blindly do abs() on something that might be INT_MIN above). It
+	 * would be overkill to do that, wouldn't it?
 	 */
 	new_provider_id = max_provider_id + 1;
 	provider->provider_id = (databaseId == GLOBAL_DATA_TDE_OID ? -new_provider_id : new_provider_id);
diff --git a/contrib/pg_tde/src/include/keyring/keyring_api.h b/contrib/pg_tde/src/include/keyring/keyring_api.h
@@ -61,6 +61,7 @@ typedef struct TDEKeyringRoutine
 {
 	KeyInfo    *(*keyring_get_key) (GenericKeyring *keyring, const char *key_name, KeyringReturnCodes *returnCode);
 	void		(*keyring_store_key) (GenericKeyring *keyring, KeyInfo *key);
+	void		(*keyring_validate) (GenericKeyring *keyring);
 } TDEKeyringRoutine;
 
 typedef struct FileKeyring
@@ -91,5 +92,6 @@ extern void RegisterKeyProviderType(const TDEKeyringRoutine *routine, ProviderTy
 
 extern KeyInfo *KeyringGetKey(GenericKeyring *keyring, const char *key_name, KeyringReturnCodes *returnCode);
 extern KeyInfo *KeyringGenerateNewKeyAndStore(GenericKeyring *keyring, const char *key_name, unsigned key_len);
+extern void KeyringValidate(GenericKeyring *keyring);
 
 #endif							/* KEYRING_API_H */
diff --git a/contrib/pg_tde/src/keyring/keyring_api.c b/contrib/pg_tde/src/keyring/keyring_api.c
@@ -74,6 +74,7 @@ RegisterKeyProviderType(const TDEKeyringRoutine *routine, ProviderType type)
 	Assert(routine != NULL);
 	Assert(routine->keyring_get_key != NULL);
 	Assert(routine->keyring_store_key != NULL);
+	Assert(routine->keyring_validate != NULL);
 
 	kp = find_key_provider_type(type);
 	if (kp)
@@ -148,3 +149,15 @@ KeyringGenerateNewKeyAndStore(GenericKeyring *keyring, const char *key_name, uns
 
 	return key;
 }
+
+void
+KeyringValidate(GenericKeyring *keyring)
+{
+	RegisteredKeyProviderType *kp = find_key_provider_type(keyring->type);
+
+	if (kp == NULL)
+		ereport(ERROR,
+				errmsg("Key provider of type %d not registered", keyring->type));
+
+	kp->routine->keyring_validate(keyring);
+}
diff --git a/contrib/pg_tde/src/keyring/keyring_file.c b/contrib/pg_tde/src/keyring/keyring_file.c
@@ -28,10 +28,12 @@
 
 static KeyInfo *get_key_by_name(GenericKeyring *keyring, const char *key_name, KeyringReturnCodes *return_code);
 static void set_key_by_name(GenericKeyring *keyring, KeyInfo *key);
+static void validate(GenericKeyring *keyring);
 
 const TDEKeyringRoutine keyringFileRoutine = {
 	.keyring_get_key = get_key_by_name,
-	.keyring_store_key = set_key_by_name
+	.keyring_store_key = set_key_by_name,
+	.keyring_validate = validate,
 };
 
 void
@@ -143,3 +145,19 @@ set_key_by_name(GenericKeyring *keyring, KeyInfo *key)
 	}
 	close(fd);
 }
+
+static void
+validate(GenericKeyring *keyring)
+{
+	FileKeyring *file_keyring = (FileKeyring *) keyring;
+	int fd = BasicOpenFile(file_keyring->file_name, O_CREAT | O_RDWR | PG_BINARY);
+
+	if (fd < 0)
+	{
+		ereport(ERROR,
+				errcode_for_file_access(),
+				errmsg("Failed to open keyring file %s :%m", file_keyring->file_name));
+	}
+
+	close(fd);
+}
diff --git a/contrib/pg_tde/src/keyring/keyring_kmip.c b/contrib/pg_tde/src/keyring/keyring_kmip.c
@@ -26,10 +26,12 @@
 
 static void set_key_by_name(GenericKeyring *keyring, KeyInfo *key);
 static KeyInfo *get_key_by_name(GenericKeyring *keyring, const char *key_name, KeyringReturnCodes *return_code);
+static void validate(GenericKeyring *keyring);
 
 const TDEKeyringRoutine keyringKmipRoutine = {
 	.keyring_get_key = get_key_by_name,
-	.keyring_store_key = set_key_by_name
+	.keyring_store_key = set_key_by_name,
+	.keyring_validate = validate,
 };
 
 void
@@ -204,3 +206,14 @@ get_key_by_name(GenericKeyring *keyring, const char *key_name, KeyringReturnCode
 
 	return key;
 }
+
+static void validate(GenericKeyring *keyring)
+{
+	KmipKeyring *kmip_keyring = (KmipKeyring *) keyring;
+	KmipCtx		ctx;
+
+	kmipSslConnect(&ctx, kmip_keyring, true);
+
+	BIO_free_all(ctx.bio);
+	SSL_CTX_free(ctx.ssl);
+}
diff --git a/contrib/pg_tde/src/keyring/keyring_vault.c b/contrib/pg_tde/src/keyring/keyring_vault.c
@@ -70,10 +70,12 @@ static bool curl_perform(VaultV2Keyring *keyring, const char *url, CurlString *o
 
 static void set_key_by_name(GenericKeyring *keyring, KeyInfo *key);
 static KeyInfo *get_key_by_name(GenericKeyring *keyring, const char *key_name, KeyringReturnCodes *return_code);
+static void validate(GenericKeyring *keyring);
 
 const TDEKeyringRoutine keyringVaultV2Routine = {
 	.keyring_get_key = get_key_by_name,
-	.keyring_store_key = set_key_by_name
+	.keyring_store_key = set_key_by_name,
+	.keyring_validate = validate,
 };
 
 void
@@ -300,6 +302,32 @@ get_key_by_name(GenericKeyring *keyring, const char *key_name, KeyringReturnCode
 	return key;
 }
 
+static void
+validate(GenericKeyring *keyring)
+{
+	VaultV2Keyring *vault_keyring = (VaultV2Keyring *) keyring;
+	char		url[VAULT_URL_MAX_LEN];
+	CurlString	str;
+	long		httpCode = 0;
+
+	/*
+	 * Just try to connect to the mount URL with an empty key name to see if we
+	 * get any response. There might be better ways to validate vault
+	 * connectivity we want to look into in the future.
+	 */
+	get_keyring_vault_url(vault_keyring, "", url, sizeof(url));
+
+	if (!curl_perform(vault_keyring, url, &str, &httpCode, NULL))
+	{
+		ereport(ERROR,
+				errmsg("HTTP(S) request to keyring provider \"%s\" failed",
+					   vault_keyring->keyring.provider_name));
+	}
+
+	if (str.ptr != NULL)
+		pfree(str.ptr);
+}
+
 /*
  * JSON parser routines
  *
