This function returns the ranges of WAL records that are encrypted. It returns a set of records with the start and end LSNs and TLI for each range.

SELECT * FROM pg_tde_get_wal_encryption_ranges();

't/wal_encryption_ranges.pl',

CREATE FUNCTION pg_tde_get_wal_encryption_ranges

(OUT start_tli integer,

OUT start_lsn pg_lsn,

OUT end_tli integer,

OUT end_lsn pg_lsn)

RETURNS SETOF RECORD

LANGUAGE C

AS 'MODULE_PATHNAME';

REVOKE ALL ON FUNCTION pg_tde_get_wal_encryption_ranges() FROM PUBLIC;

#define PG_TDE_LIST_WAL_KEYS_RANGES_COLS 4

PG_FUNCTION_INFO_V1(pg_tde_get_wal_encryption_ranges);

pg_tde_get_wal_encryption_ranges(PG_FUNCTION_ARGS)

{

Tuplestorestate *tupstore;

TupleDesc tupdesc;

ReturnSetInfo *rsinfo = (ReturnSetInfo *) fcinfo->resultinfo;

MemoryContext per_query_ctx;

MemoryContext oldcontext;

WALKeyCacheRec *keys;

WalLocation loc = {.tli = 0,.lsn = 0};

/* check to see if caller supports us returning a tuplestore */

if (rsinfo == NULL || !IsA(rsinfo, ReturnSetInfo))

ereport(ERROR,

errcode(ERRCODE_FEATURE_NOT_SUPPORTED),

errmsg("set-valued function called in context that cannot accept a set"));

if (!(rsinfo->allowedModes & SFRM_Materialize))

ereport(ERROR,

errcode(ERRCODE_FEATURE_NOT_SUPPORTED),

errmsg("materialize mode required, but it is not allowed in this context"));

/* Switch into long-lived context to construct returned data structures */

per_query_ctx = rsinfo->econtext->ecxt_per_query_memory;

oldcontext = MemoryContextSwitchTo(per_query_ctx);

/* Build a tuple descriptor for our result type */

if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE)

elog(ERROR, "return type must be a row type");

tupstore = tuplestore_begin_heap(true, false, work_mem);

rsinfo->returnMode = SFRM_Materialize;

rsinfo->setResult = tupstore;

rsinfo->setDesc = tupdesc;

MemoryContextSwitchTo(oldcontext);

keys = pg_tde_fetch_wal_keys(loc);

for (WALKeyCacheRec *curr_key = keys; curr_key != NULL; curr_key = curr_key->next)

{

Datum values[PG_TDE_LIST_WAL_KEYS_RANGES_COLS] = {0};

bool nulls[PG_TDE_LIST_WAL_KEYS_RANGES_COLS] = {0};

int i = 0;

if (curr_key->key.type != WAL_KEY_TYPE_ENCRYPTED)

continue;

values[i++] = Int64GetDatum(curr_key->start.tli);

values[i++] = Int64GetDatum(curr_key->start.lsn);

values[i++] = Int64GetDatum(curr_key->end.tli);

values[i++] = Int64GetDatum(curr_key->end.lsn);

tuplestore_putvalues(tupstore, tupdesc, values, nulls);

}

return (Datum) 0;

}

SELECT pg_tde_is_wal_record_encrypted(pg_current_wal_lsn());

use strict;

use warnings;

use File::Basename;

use Test::More;

use lib 't';

use pgtde;

PGTDE::setup_files_dir(basename($0));

unlink('/tmp/wal_encryption_ranges.per');

my $psql_out = '';

my $node = PostgreSQL::Test::Cluster->new('main');

$node->init;

$node->append_conf('postgresql.conf', "shared_preload_libraries = 'pg_tde'");

$node->append_conf('postgresql.conf', "wal_level = 'logical'");

$node->start;

$node->psql('postgres', "CREATE EXTENSION pg_tde;");

$node->psql('postgres',

"SELECT pg_tde_add_global_key_provider_file('file-keyring', '/tmp/wal_encryption_ranges.per');"

);

$node->psql('postgres',

"SELECT pg_tde_create_key_using_global_key_provider('server-key', 'file-keyring');"

);

$node->psql('postgres',

"SELECT pg_tde_set_server_key_using_global_key_provider('server-key', 'file-keyring');"

);

$node->psql('postgres', 'SELECT pg_tde_verify_server_key();');

$node->psql('postgres',

'CREATE TABLE test_wal (id SERIAL, k INTEGER, PRIMARY KEY (id));');

$node->psql('postgres', 'ALTER SYSTEM SET pg_tde.wal_encrypt = on;');

$node->restart;

$node->psql('postgres', 'INSERT INTO test_wal (k) VALUES (1), (2);');

my $enc_lsn = $node->safe_psql('postgres', "SELECT pg_current_wal_lsn();");

$node->psql(

'postgres',

"SELECT pg_tde_is_wal_record_encrypted('$enc_lsn'::pg_lsn);",

stdout => \$psql_out);

is($psql_out, 't', "Check that WAL record is encrypted");

$node->psql('postgres', 'SELECT pg_switch_wal();');

$node->psql('postgres', 'ALTER SYSTEM SET pg_tde.wal_encrypt = off;');

$node->restart;

$node->psql('postgres', 'INSERT INTO test_wal (k) VALUES (3), (4);');

my $dec_lsn = $node->safe_psql('postgres', "SELECT pg_current_wal_lsn();");

$node->psql(

'postgres',

"SELECT pg_tde_is_wal_record_encrypted('$dec_lsn'::pg_lsn);",

stdout => \$psql_out);

is($psql_out, 'f', "Check that WAL record is not encrypted");

$node->psql(

'postgres',

"SELECT pg_tde_is_wal_record_encrypted('$enc_lsn'::pg_lsn);",

stdout => \$psql_out);

is($psql_out, 't', "Check that WAL record is still encrypted");

my $ranges_count = $node->safe_psql(

'postgres', "SELECT count(*) FROM pg_tde_get_wal_encryption_ranges()

AND end_tli = 1;");

is($ranges_count, 1,

"Check that WAL records correspond to expected encryption range");

$node->psql('postgres', 'DROP EXTENSION pg_tde;');

$node->stop;

done_testing();