@pgpm/encrypted-secrets-table 0.4.0

package/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 Dan Lynch <pyramation@gmail.com>
+Copyright (c) 2025 Interweb, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/Makefile

@@ -0,0 +1,6 @@
+EXTENSION = launchql-encrypted-secrets-table
+DATA = sql/launchql-encrypted-secrets-table--0.1.0.sql
+
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)

package/README.md

@@ -0,0 +1,5 @@
+# @pgpm/encrypted-secrets-table
+
+Table-based encrypted secrets storage and retrieval.
+
+Extends encrypted secrets functionality with table-based storage, providing structured access to encrypted sensitive data.

package/__tests__/__snapshots__/secrets-table.test.ts.snap

@@ -0,0 +1,38 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`encrypted secrets table should have secrets_table with correct structure 1`] = `
+{
+  "columns": [
+    {
+      "column_default": "uuid_generate_v4()",
+      "column_name": "id",
+      "data_type": "uuid",
+      "is_nullable": "NO",
+    },
+    {
+      "column_default": null,
+      "column_name": "secrets_owned_field",
+      "data_type": "uuid",
+      "is_nullable": "NO",
+    },
+    {
+      "column_default": null,
+      "column_name": "name",
+      "data_type": "text",
+      "is_nullable": "NO",
+    },
+    {
+      "column_default": null,
+      "column_name": "secrets_value_field",
+      "data_type": "bytea",
+      "is_nullable": "YES",
+    },
+    {
+      "column_default": null,
+      "column_name": "secrets_enc_field",
+      "data_type": "text",
+      "is_nullable": "YES",
+    },
+  ],
+}
+`;

package/__tests__/secrets-table.test.ts

@@ -0,0 +1,273 @@
+import { getConnections, PgTestClient } from 'pgsql-test';
+import { snapshot } from 'graphile-test';
+
+let pg: PgTestClient;
+let teardown: () => Promise<void>;
+
+const user_id = 'dc474833-318a-41f5-9239-ee563ab657a6';
+const user_id_2 = '550e8400-e29b-41d4-a716-446655440000';
+
+describe('encrypted secrets table', () => {
+  beforeAll(async () => {
+    ({ pg, teardown } = await getConnections());
+  });
+
+  afterAll(async () => {
+    await teardown();
+  });
+
+  beforeEach(async () => {
+    await pg.beforeEach();
+  });
+
+  afterEach(async () => {
+    await pg.afterEach();
+  });
+
+  it('should have secrets_schema created', async () => {
+    const schemas = await pg.any(
+      `SELECT schema_name FROM information_schema.schemata WHERE schema_name = 'secrets_schema'`
+    );
+    expect(schemas).toHaveLength(1);
+    expect(schemas[0].schema_name).toBe('secrets_schema');
+  });
+
+  it('should have secrets_table with correct structure', async () => {
+    const columns = await pg.any(
+      `SELECT column_name, data_type, is_nullable, column_default
+       FROM information_schema.columns 
+       WHERE table_schema = 'secrets_schema' AND table_name = 'secrets_table'
+       ORDER BY ordinal_position`
+    );
+    
+    expect(snapshot({ columns })).toMatchSnapshot();
+  });
+
+  it('should have unique constraint on (secrets_owned_field, name)', async () => {
+    const constraints = await pg.any(
+      `SELECT constraint_name, constraint_type
+       FROM information_schema.table_constraints
+       WHERE table_schema = 'secrets_schema' 
+       AND table_name = 'secrets_table'
+       AND constraint_type = 'UNIQUE'`
+    );
+    
+    expect(constraints).toHaveLength(1);
+  });
+
+  it('should insert record with default values', async () => {
+    const [result] = await pg.any(
+      `INSERT INTO secrets_schema.secrets_table 
+       (secrets_owned_field, name, secrets_value_field, secrets_enc_field)
+       VALUES ($1::uuid, 'test-secret', 'test-value'::bytea, 'none')
+       RETURNING *`,
+      [user_id]
+    );
+
+    expect(result.secrets_owned_field).toBe(user_id);
+    expect(result.name).toBe('test-secret');
+    expect(result.secrets_enc_field).toBe('none');
+    expect(result.id).toBeDefined();
+  });
+
+  it('should enforce unique constraint on (secrets_owned_field, name)', async () => {
+    // Insert first record
+    await pg.any(
+      `INSERT INTO secrets_schema.secrets_table 
+       (secrets_owned_field, name, secrets_value_field, secrets_enc_field)
+       VALUES ($1::uuid, 'duplicate-name', 'value1'::bytea, 'none')`,
+      [user_id]
+    );
+
+    // Try to insert duplicate - should fail
+    await expect(
+      pg.any(
+        `INSERT INTO secrets_schema.secrets_table 
+         (secrets_owned_field, name, secrets_value_field, secrets_enc_field)
+         VALUES ($1::uuid, 'duplicate-name', 'value2'::bytea, 'none')`,
+        [user_id]
+      )
+    ).rejects.toThrow();
+  });
+
+  it('should allow same name for different users', async () => {
+    // Insert for first user
+    await pg.any(
+      `INSERT INTO secrets_schema.secrets_table 
+       (secrets_owned_field, name, secrets_value_field, secrets_enc_field)
+       VALUES ($1::uuid, 'same-name', 'value1'::bytea, 'none')`,
+      [user_id]
+    );
+
+    // Insert for second user - should succeed
+    const [result] = await pg.any(
+      `INSERT INTO secrets_schema.secrets_table 
+       (secrets_owned_field, name, secrets_value_field, secrets_enc_field)
+       VALUES ($1::uuid, 'same-name', 'value2'::bytea, 'none')
+       RETURNING *`,
+      [user_id_2]
+    );
+
+    expect(result.secrets_owned_field).toBe(user_id_2);
+    expect(result.name).toBe('same-name');
+  });
+
+  it('should trigger hash_secrets on insert with crypt', async () => {
+    const plaintext = 'my-secret-password';
+    
+    const [result] = await pg.any(
+      `INSERT INTO secrets_schema.secrets_table 
+       (secrets_owned_field, name, secrets_value_field, secrets_enc_field)
+       VALUES ($1::uuid, 'crypt-secret', $2::bytea, 'crypt')
+       RETURNING *`,
+      [user_id, plaintext]
+    );
+
+    // The trigger should have hashed the value
+    expect(result.secrets_enc_field).toBe('crypt');
+    expect(result.secrets_value_field).not.toEqual(Buffer.from(plaintext));
+    
+    // Verify it's a bcrypt hash (starts with $2)
+    const hashedValue = result.secrets_value_field.toString();
+    expect(hashedValue).toMatch(/^\$2[aby]?\$/);
+  });
+
+  it('should trigger hash_secrets on insert with pgp', async () => {
+    const plaintext = 'my-secret-data';
+    
+    const [result] = await pg.any(
+      `INSERT INTO secrets_schema.secrets_table 
+       (secrets_owned_field, name, secrets_value_field, secrets_enc_field)
+       VALUES ($1::uuid, 'pgp-secret', $2::bytea, 'pgp')
+       RETURNING *`,
+      [user_id, plaintext]
+    );
+
+    // The trigger should have encrypted the value
+    expect(result.secrets_enc_field).toBe('pgp');
+    expect(result.secrets_value_field).not.toEqual(Buffer.from(plaintext));
+    
+    // Should be longer than original due to encryption
+    expect(result.secrets_value_field.length).toBeGreaterThan(plaintext.length);
+  });
+
+  it('should default to none encryption when not specified', async () => {
+    const plaintext = 'unencrypted-data';
+    
+    const [result] = await pg.any(
+      `INSERT INTO secrets_schema.secrets_table 
+       (secrets_owned_field, name, secrets_value_field)
+       VALUES ($1::uuid, 'none-secret', $2::bytea)
+       RETURNING *`,
+      [user_id, plaintext]
+    );
+
+    // The trigger should set enc_field to 'none'
+    expect(result.secrets_enc_field).toBe('none');
+    expect(result.secrets_value_field).toEqual(Buffer.from(plaintext));
+  });
+
+  it('should trigger hash_secrets on update when value changes', async () => {
+    // Insert initial record
+    const [initial] = await pg.any(
+      `INSERT INTO secrets_schema.secrets_table 
+       (secrets_owned_field, name, secrets_value_field, secrets_enc_field)
+       VALUES ($1::uuid, 'update-test', 'initial-value'::bytea, 'none')
+       RETURNING *`,
+      [user_id]
+    );
+
+    // Update to use crypt encryption
+    const [updated] = await pg.any(
+      `UPDATE secrets_schema.secrets_table 
+       SET secrets_value_field = 'new-password'::bytea, secrets_enc_field = 'crypt'
+       WHERE id = $1
+       RETURNING *`,
+      [initial.id]
+    );
+
+    // Should be encrypted now
+    expect(updated.secrets_enc_field).toBe('crypt');
+    expect(updated.secrets_value_field).not.toEqual(Buffer.from('new-password'));
+    
+    // Verify it's a bcrypt hash
+    const hashedValue = updated.secrets_value_field.toString();
+    expect(hashedValue).toMatch(/^\$2[aby]?\$/);
+  });
+
+  it('should not trigger hash_secrets on update when value unchanged', async () => {
+    // Insert initial record with crypt
+    const [initial] = await pg.any(
+      `INSERT INTO secrets_schema.secrets_table 
+       (secrets_owned_field, name, secrets_value_field, secrets_enc_field)
+       VALUES ($1::uuid, 'no-update-test', 'password'::bytea, 'crypt')
+       RETURNING *`,
+      [user_id]
+    );
+
+    const originalHash = initial.secrets_value_field;
+
+    // Update name only (not the value field)
+    const [updated] = await pg.any(
+      `UPDATE secrets_schema.secrets_table 
+       SET name = 'renamed-secret'
+       WHERE id = $1
+       RETURNING *`,
+      [initial.id]
+    );
+
+    // Hash should remain the same
+    expect(updated.secrets_value_field).toEqual(originalHash);
+    expect(updated.name).toBe('renamed-secret');
+  });
+
+  it('should verify crypt hash works correctly', async () => {
+    const password = 'test-password-123';
+    
+    // Insert with crypt
+    const [result] = await pg.any(
+      `INSERT INTO secrets_schema.secrets_table 
+       (secrets_owned_field, name, secrets_value_field, secrets_enc_field)
+       VALUES ($1::uuid, 'crypt-verify', $2::bytea, 'crypt')
+       RETURNING *`,
+      [user_id, password]
+    );
+
+    // The stored hash should be different from the original password
+    const storedHash = result.secrets_value_field.toString();
+    expect(storedHash).not.toBe(password);
+    
+    // Verify it's a proper bcrypt hash format
+    expect(storedHash).toMatch(/^\$2[aby]?\$/);
+    
+    // Verify the hash is the expected length (bcrypt hashes are typically 60 characters)
+    expect(storedHash.length).toBe(60);
+    
+    // Verify that inserting the same password again produces a different hash (salt should be different)
+    const [result2] = await pg.any(
+      `INSERT INTO secrets_schema.secrets_table 
+       (secrets_owned_field, name, secrets_value_field, secrets_enc_field)
+       VALUES ($1::uuid, 'crypt-verify-2', $2::bytea, 'crypt')
+       RETURNING *`,
+      [user_id, password]
+    );
+    
+    const storedHash2 = result2.secrets_value_field.toString();
+    expect(storedHash2).not.toBe(storedHash); // Different salt = different hash
+    expect(storedHash2).toMatch(/^\$2[aby]?\$/);
+  });
+
+  it('should handle null values correctly', async () => {
+    const [result] = await pg.any(
+      `INSERT INTO secrets_schema.secrets_table 
+       (secrets_owned_field, name, secrets_value_field, secrets_enc_field)
+       VALUES ($1::uuid, 'null-test', NULL, NULL)
+       RETURNING *`,
+      [user_id]
+    );
+
+    // Trigger should set enc_field to 'none' even when value is null
+    expect(result.secrets_enc_field).toBe('none');
+    expect(result.secrets_value_field).toBeNull();
+  });
+}); 

package/deploy/schemas/secrets_schema/schema.sql

@@ -0,0 +1,8 @@
+-- Deploy schemas/secrets_schema/schema to pg
+
+
+BEGIN;
+
+CREATE SCHEMA secrets_schema;
+
+COMMIT;

package/deploy/schemas/secrets_schema/tables/secrets_table/table.sql

@@ -0,0 +1,16 @@
+-- Deploy schemas/secrets_schema/tables/secrets_table/table to pg
+
+-- requires: schemas/secrets_schema/schema
+
+BEGIN;
+
+CREATE TABLE secrets_schema.secrets_table (
+  id uuid PRIMARY KEY DEFAULT uuid_generate_v4 (),
+  secrets_owned_field uuid NOT NULL,
+  name text NOT NULL,
+  secrets_value_field bytea NULL,
+  secrets_enc_field text NULL,
+  UNIQUE(secrets_owned_field, name)
+);
+
+COMMIT;

package/deploy/schemas/secrets_schema/tables/secrets_table/triggers/hash_secrets.sql

@@ -0,0 +1,34 @@
+-- Deploy schemas/secrets_schema/tables/secrets_table/triggers/hash_secrets to pg
+
+-- requires: schemas/secrets_schema/schema
+-- requires: schemas/secrets_schema/tables/secrets_table/table
+
+BEGIN;
+
+CREATE FUNCTION secrets_schema.tg_hash_secrets()
+RETURNS TRIGGER AS $$
+BEGIN
+    IF (NEW.secrets_enc_field = 'crypt') THEN
+        NEW.secrets_value_field = crypt(NEW.secrets_value_field::text, gen_salt('bf'));
+    ELSIF (NEW.secrets_enc_field = 'pgp') THEN
+        NEW.secrets_value_field = pgp_sym_encrypt(encode(NEW.secrets_value_field::bytea, 'hex'), NEW.secrets_owned_field::text, 'compress-algo=1, cipher-algo=aes256');
+    ELSE
+        NEW.secrets_enc_field = 'none';
+    END IF;
+    RETURN NEW;
+END;
+$$
+LANGUAGE 'plpgsql' VOLATILE;
+
+CREATE TRIGGER hash_secrets_update
+BEFORE UPDATE ON secrets_schema.secrets_table
+FOR EACH ROW
+WHEN (NEW.secrets_value_field IS DISTINCT FROM OLD.secrets_value_field)
+EXECUTE PROCEDURE secrets_schema.tg_hash_secrets ();
+
+CREATE TRIGGER hash_secrets_insert
+BEFORE INSERT ON secrets_schema.secrets_table
+FOR EACH ROW
+EXECUTE PROCEDURE secrets_schema.tg_hash_secrets ();
+
+COMMIT;

package/jest.config.js

@@ -0,0 +1,15 @@
+/** @type {import('ts-jest').JestConfigWithTsJest} */
+module.exports = {
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+
+  // Match both __tests__ and colocated test files
+  testMatch: ['**/?(*.)+(test|spec).{ts,tsx,js,jsx}'],
+
+  // Ignore build artifacts and type declarations
+  testPathIgnorePatterns: ['/dist/', '\\.d\\.ts$'],
+  modulePathIgnorePatterns: ['<rootDir>/dist/'],
+  watchPathIgnorePatterns: ['/dist/'],
+
+  moduleFileExtensions: ['ts', 'tsx', 'js', 'jsx', 'json', 'node'],
+};

package/launchql-encrypted-secrets-table.control

@@ -0,0 +1,8 @@
+# launchql-encrypted-secrets-table extension
+comment = 'launchql-encrypted-secrets-table extension'
+default_version = '0.1.0'
+module_pathname = '$libdir/launchql-encrypted-secrets-table'
+requires = 'pgcrypto,plpgsql,uuid-ossp,launchql-verify'
+relocatable = false
+superuser = false
+  

package/launchql.plan

@@ -0,0 +1,7 @@
+%syntax-version=1.0.0
+%project=launchql-encrypted-secrets-table
+%uri=launchql-encrypted-secrets-table
+  
+schemas/secrets_schema/schema 2020-11-01T21:41:26Z Dan Lynch <dlynch@Dans-MBP-3> # add schemas/secrets_schema/schema
+schemas/secrets_schema/tables/secrets_table/table [schemas/secrets_schema/schema] 2020-11-01T21:41:51Z Dan Lynch <dlynch@Dans-MBP-3> # add schemas/secrets_schema/tables/secrets_table/table
+schemas/secrets_schema/tables/secrets_table/triggers/hash_secrets [schemas/secrets_schema/schema schemas/secrets_schema/tables/secrets_table/table] 2020-11-01T21:46:08Z Dan Lynch <dlynch@Dans-MBP-3> # add schemas/secrets_schema/tables/secrets_table/triggers/hash_secrets

package/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "@pgpm/encrypted-secrets-table",
+  "version": "0.4.0",
+  "description": "Table-based encrypted secrets storage and retrieval",
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "bundle": "lql package",
+    "test": "jest",
+    "test:watch": "jest --watch"
+  },
+  "dependencies": {
+    "@pgpm/verify": "0.4.0"
+  },
+  "devDependencies": {
+    "@launchql/cli": "^4.9.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/launchql/extensions"
+  },
+  "homepage": "https://github.com/launchql/extensions",
+  "bugs": {
+    "url": "https://github.com/launchql/extensions/issues"
+  },
+  "gitHead": "cc9f52a335caa6e21ee7751b04b77c84ce6cb809"
+}

package/revert/schemas/secrets_schema/schema.sql

@@ -0,0 +1,7 @@
+-- Revert schemas/secrets_schema/schema from pg
+
+BEGIN;
+
+DROP SCHEMA secrets_schema;
+
+COMMIT;

package/revert/schemas/secrets_schema/tables/secrets_table/table.sql

@@ -0,0 +1,7 @@
+-- Revert schemas/secrets_schema/tables/secrets_table/table from pg
+
+BEGIN;
+
+DROP TABLE secrets_schema.secrets_table;
+
+COMMIT;

package/revert/schemas/secrets_schema/tables/secrets_table/triggers/hash_secrets.sql

@@ -0,0 +1,9 @@
+-- Revert schemas/secrets_schema/tables/secrets_table/triggers/hash_secrets from pg
+
+BEGIN;
+
+DROP TRIGGER hash_secrets_update ON secrets_schema.secrets_table;
+DROP TRIGGER hash_secrets_insert ON secrets_schema.secrets_table;
+DROP FUNCTION secrets_schema.tg_hash_secrets; 
+
+COMMIT;

package/sql/launchql-encrypted-secrets-table--0.1.0.sql

@@ -0,0 +1,37 @@
+\echo Use "CREATE EXTENSION launchql-encrypted-secrets-table" to load this file. \quit
+CREATE SCHEMA secrets_schema;
+
+CREATE TABLE secrets_schema.secrets_table (
+  id uuid PRIMARY KEY DEFAULT uuid_generate_v4(),
+  secrets_owned_field uuid NOT NULL,
+  name text NOT NULL,
+  secrets_value_field bytea NULL,
+  secrets_enc_field text NULL,
+  UNIQUE (secrets_owned_field, name)
+);
+
+CREATE FUNCTION secrets_schema.tg_hash_secrets() RETURNS trigger AS $EOFCODE$
+BEGIN
+    IF (NEW.secrets_enc_field = 'crypt') THEN
+        NEW.secrets_value_field = crypt(NEW.secrets_value_field::text, gen_salt('bf'));
+    ELSIF (NEW.secrets_enc_field = 'pgp') THEN
+        NEW.secrets_value_field = pgp_sym_encrypt(encode(NEW.secrets_value_field::bytea, 'hex'), NEW.secrets_owned_field::text, 'compress-algo=1, cipher-algo=aes256');
+    ELSE
+        NEW.secrets_enc_field = 'none';
+    END IF;
+    RETURN NEW;
+END;
+$EOFCODE$ LANGUAGE plpgsql VOLATILE;
+
+CREATE TRIGGER hash_secrets_update
+  BEFORE UPDATE
+  ON secrets_schema.secrets_table
+  FOR EACH ROW
+  WHEN (new.secrets_value_field IS DISTINCT FROM old.secrets_value_field)
+  EXECUTE PROCEDURE secrets_schema.tg_hash_secrets();
+
+CREATE TRIGGER hash_secrets_insert
+  BEFORE INSERT
+  ON secrets_schema.secrets_table
+  FOR EACH ROW
+  EXECUTE PROCEDURE secrets_schema.tg_hash_secrets();

package/verify/schemas/secrets_schema/schema.sql

@@ -0,0 +1,7 @@
+-- Verify schemas/secrets_schema/schema  on pg
+
+BEGIN;
+
+SELECT verify_schema ('secrets_schema');
+
+ROLLBACK;

package/verify/schemas/secrets_schema/tables/secrets_table/table.sql

@@ -0,0 +1,7 @@
+-- Verify schemas/secrets_schema/tables/secrets_table/table on pg
+
+BEGIN;
+
+SELECT verify_table ('secrets_schema.secrets_table');
+
+ROLLBACK;

package/verify/schemas/secrets_schema/tables/secrets_table/triggers/hash_secrets.sql

@@ -0,0 +1,9 @@
+-- Verify schemas/secrets_schema/tables/secrets_table/triggers/hash_secrets  on pg
+
+BEGIN;
+
+SELECT verify_function ('secrets_schema.tg_hash_secrets'); 
+SELECT verify_trigger ('secrets_schema.hash_secrets_update');
+SELECT verify_trigger ('secrets_schema.hash_secrets_insert');
+
+ROLLBACK;