percona · AndersAstrand · Apr 23, 2025 · Apr 10, 2025 · Apr 16, 2025 · Apr 17, 2025
@@ -15,7 +15,6 @@ cache_alloc \
 change_access_method \
 insert_update_delete \
 key_provider \
-keyprovider_dependency \
 kmip_test \
 partition_table \
 pg_tde_is_encrypted \

@@ -206,8 +206,6 @@ To add a database specific provider:
 pg_tde_add_database_key_provider_<TYPE>('provider_name', ... details ...)
 ```
 
-Note that in these functions do not verify the parameters. For that, see `pg_tde_verify_key`.
-
 ### Changing providers
 
 To change a value of a global provider:

@@ -160,4 +160,7 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
  -1 | file-keyring
 (1 row)
 
+-- Creating a file key provider fails if we can't open or create the file
+SELECT pg_tde_add_database_key_provider_file('will-not-work','/cant-create-file-in-root.per');
+ERROR:  Failed to open keyring file /cant-create-file-in-root.per: Permission denied
 DROP EXTENSION pg_tde;
@@ -164,4 +164,7 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
  -2 | file-keyring
 (2 rows)
 
+-- Creating a file key provider fails if we can't open or create the file
+SELECT pg_tde_add_database_key_provider_file('will-not-work','/cant-create-file-in-root.per');
+ERROR:  Failed to open keyring file /cant-create-file-in-root.per: Permission denied
 DROP EXTENSION pg_tde;
@@ -34,4 +34,7 @@ SELECT pg_tde_verify_key();
 (1 row)
 
 DROP TABLE test_enc;
+-- Creating provider fails if we can't connect to kmip server
+SELECT pg_tde_add_database_key_provider_kmip('will-not-work','127.0.0.1', 61, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem');
+ERROR:  SSL error: BIO_do_connect failed
 DROP EXTENSION pg_tde;
@@ -51,4 +51,7 @@ SELECT pg_tde_verify_key();
 (1 row)
 
 DROP TABLE test_enc;
+-- Creating provider fails if we can't connect to vault
+SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token', 'http://127.0.0.1:61', 'secret', NULL);
+ERROR:  HTTP(S) request to keyring provider "will-not-work" failed
 DROP EXTENSION pg_tde;
@@ -90,7 +90,6 @@ sql_tests = [
   'change_access_method',
   'insert_update_delete',
   'key_provider',
-  'keyprovider_dependency',
   'kmip_test',
   'partition_table',
   'pg_tde_is_encrypted',

@@ -52,4 +52,7 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
 SELECT pg_tde_delete_global_key_provider('file-keyring2');
 SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
 
+-- Creating a file key provider fails if we can't open or create the file
+SELECT pg_tde_add_database_key_provider_file('will-not-work','/cant-create-file-in-root.per');
+
 DROP EXTENSION pg_tde;
@@ -19,4 +19,7 @@ SELECT pg_tde_verify_key();
 
 DROP TABLE test_enc;
 
+-- Creating provider fails if we can't connect to kmip server
+SELECT pg_tde_add_database_key_provider_kmip('will-not-work','127.0.0.1', 61, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem');
+
 DROP EXTENSION pg_tde;
@@ -31,4 +31,7 @@ SELECT pg_tde_verify_key();
 
 DROP TABLE test_enc;
 
+-- Creating provider fails if we can't connect to vault
+SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token', 'http://127.0.0.1:61', 'secret', NULL);
+
 DROP EXTENSION pg_tde;
@@ -68,7 +68,7 @@ tdeheap_rmgr_redo(XLogReaderState *record)
 	}
 	else if (info == XLOG_TDE_WRITE_KEY_PROVIDER)
 	{
-		KeyringProviderXLRecord *xlrec = (KeyringProviderXLRecord *) XLogRecGetData(record);
+		KeyringProviderRecordInFile *xlrec = (KeyringProviderRecordInFile *) XLogRecGetData(record);
 
 		redo_key_provider_info(xlrec);
 	}
@@ -109,7 +109,7 @@ tdeheap_rmgr_desc(StringInfo buf, XLogReaderState *record)
 	}
 	else if (info == XLOG_TDE_WRITE_KEY_PROVIDER)
 	{
-		KeyringProviderXLRecord *xlrec = (KeyringProviderXLRecord *) XLogRecGetData(record);
+		KeyringProviderRecordInFile *xlrec = (KeyringProviderRecordInFile *) XLogRecGetData(record);
 
 		appendStringInfo(buf, "db: %u, provider id: %d", xlrec->database_id, xlrec->provider.provider_id);
 	}