test: roles privileges, memberships, attributes

regress the following aspects:

* roles attributes
* roles memberships
* roles privileges on schemas
* centralizes all role tests in roles.sql
  + Removes redundant checks in auth test
  + Removes redundant checks in storage test

Author: steve-chavez

migrations/db/init-scripts/README.md

@@ -0,0 +1,7 @@
+
+The effects of these migrations are tested on:
+
+- [nix/tests/sql/auth.out](../../../nix/tests/expected/auth.out)
+- [nix/tests/sql/storage.out](../../../nix/tests/expected/storage.out)
+- [nix/tests/sql/roles.out](../../../nix/tests/expected/roles.out)
+- [nix/tests/sql/evtrigs.out](../../../nix/tests/expected/evtrigs.out)

nix/tests/expected/auth.out

@@ -13,33 +13,6 @@ where
  auth        | supabase_admin
 (1 row)
 
--- attributes of the supabase_auth_admin
-select
-  rolcreaterole  ,
-  rolcanlogin    ,
-  rolsuper       ,
-  rolinherit     ,
-  rolcreatedb    ,
-  rolreplication ,
-  rolconnlimit   ,
-  rolbypassrls   ,
-  rolvaliduntil
-from pg_roles r
-where r.rolname = 'supabase_auth_admin';
- rolcreaterole | rolcanlogin | rolsuper | rolinherit | rolcreatedb | rolreplication | rolconnlimit | rolbypassrls | rolvaliduntil 
----------------+-------------+----------+------------+-------------+----------------+--------------+--------------+---------------
- t             | t           | f        | f          | f           | f              |           -1 | f            | 
-(1 row)
-
-select
-  rolconfig
-from pg_roles r
-where r.rolname = 'supabase_auth_admin';
-                                    rolconfig                                    
----------------------------------------------------------------------------------
- {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none}
-(1 row)
-
 -- auth schema tables with owners and rls policies
 select
   ns.nspname as schema_name,
@@ -129,52 +102,3 @@ order by
  auth        | uid           | supabase_auth_admin
 (3 rows)
 
--- roles which have USAGE on the auth schema
-select
-  n.nspname as schema_name,
-  r.rolname as role_name,
-  a.privilege_type
-from
-  pg_namespace n
-cross join lateral aclexplode(n.nspacl) as a
-join
-  pg_roles r on a.grantee = r.oid
-where
-  n.nspname = 'auth'
-  and a.privilege_type = 'USAGE'
-order by
-  r.rolname;
- schema_name |      role_name      | privilege_type 
--------------+---------------------+----------------
- auth        | anon                | USAGE
- auth        | authenticated       | USAGE
- auth        | dashboard_user      | USAGE
- auth        | postgres            | USAGE
- auth        | service_role        | USAGE
- auth        | supabase_admin      | USAGE
- auth        | supabase_auth_admin | USAGE
-(7 rows)
-
--- roles which have CREATE on the auth schema
-select
-  n.nspname as schema_name,
-  r.rolname as role_name,
-  a.privilege_type
-from
-  pg_namespace n
-cross join lateral aclexplode(n.nspacl) as a
-join
-  pg_roles r on a.grantee = r.oid
-where
-  n.nspname = 'auth'
-  and a.privilege_type = 'CREATE'
-order by
-  r.rolname;
- schema_name |      role_name      | privilege_type 
--------------+---------------------+----------------
- auth        | dashboard_user      | CREATE
- auth        | postgres            | CREATE
- auth        | supabase_admin      | CREATE
- auth        | supabase_auth_admin | CREATE
-(4 rows)
-

nix/tests/expected/default_privs.out

@@ -13,33 +13,6 @@ where
  storage     | supabase_admin
 (1 row)
 
--- attributes of the supabase_storage_admin
-select
-  rolcreaterole  ,
-  rolcanlogin    ,
-  rolsuper       ,
-  rolinherit     ,
-  rolcreatedb    ,
-  rolreplication ,
-  rolconnlimit   ,
-  rolbypassrls   ,
-  rolvaliduntil
-from pg_roles r
-where r.rolname = 'supabase_storage_admin';
- rolcreaterole | rolcanlogin | rolsuper | rolinherit | rolcreatedb | rolreplication | rolconnlimit | rolbypassrls | rolvaliduntil 
----------------+-------------+----------+------------+-------------+----------------+--------------+--------------+---------------
- t             | t           | f        | f          | f           | f              |           -1 | f            | 
-(1 row)
-
-select
-  rolconfig
-from pg_roles r
-where r.rolname = 'supabase_storage_admin';
-                rolconfig                 
-------------------------------------------
- {search_path=storage,log_statement=none}
-(1 row)
-
 -- storage schema tables with owners and rls policies
 select
   ns.nspname as schema_name,
@@ -123,52 +96,3 @@ order by
  storage     | search        | supabase_storage_admin
 (4 rows)
 
--- roles which have USAGE on the storage schema
-select
-  n.nspname as schema_name,
-  r.rolname as role_name,
-  a.privilege_type
-from
-  pg_namespace n
-cross join lateral aclexplode(n.nspacl) as a
-join
-  pg_roles r on a.grantee = r.oid
-where
-  n.nspname = 'storage'
-  and a.privilege_type = 'USAGE'
-order by
-  r.rolname;
- schema_name |       role_name        | privilege_type 
--------------+------------------------+----------------
- storage     | anon                   | USAGE
- storage     | authenticated          | USAGE
- storage     | dashboard_user         | USAGE
- storage     | postgres               | USAGE
- storage     | service_role           | USAGE
- storage     | supabase_admin         | USAGE
- storage     | supabase_storage_admin | USAGE
-(7 rows)
-
--- roles which have CREATE on the storage schema
-select
-  n.nspname as schema_name,
-  r.rolname as role_name,
-  a.privilege_type
-from
-  pg_namespace n
-cross join lateral aclexplode(n.nspacl) as a
-join
-  pg_roles r on a.grantee = r.oid
-where
-  n.nspname = 'storage'
-  and a.privilege_type = 'CREATE'
-order by
-  r.rolname;
- schema_name |       role_name        | privilege_type 
--------------+------------------------+----------------
- storage     | dashboard_user         | CREATE
- storage     | postgres               | CREATE
- storage     | supabase_admin         | CREATE
- storage     | supabase_storage_admin | CREATE
-(4 rows)
-

nix/tests/expected/roles.out

@@ -9,25 +9,6 @@ join
 where
   n.nspname = 'auth';
 
--- attributes of the supabase_auth_admin
-select
-  rolcreaterole  ,
-  rolcanlogin    ,
-  rolsuper       ,
-  rolinherit     ,
-  rolcreatedb    ,
-  rolreplication ,
-  rolconnlimit   ,
-  rolbypassrls   ,
-  rolvaliduntil
-from pg_roles r
-where r.rolname = 'supabase_auth_admin';
-
-select
-  rolconfig
-from pg_roles r
-where r.rolname = 'supabase_auth_admin';
-
 -- auth schema tables with owners and rls policies
 select
   ns.nspname as schema_name,
@@ -87,35 +68,3 @@ where
   n.nspname = 'auth'
 order by
   p.proname;
-
--- roles which have USAGE on the auth schema
-select
-  n.nspname as schema_name,
-  r.rolname as role_name,
-  a.privilege_type
-from
-  pg_namespace n
-cross join lateral aclexplode(n.nspacl) as a
-join
-  pg_roles r on a.grantee = r.oid
-where
-  n.nspname = 'auth'
-  and a.privilege_type = 'USAGE'
-order by
-  r.rolname;
-
--- roles which have CREATE on the auth schema
-select
-  n.nspname as schema_name,
-  r.rolname as role_name,
-  a.privilege_type
-from
-  pg_namespace n
-cross join lateral aclexplode(n.nspacl) as a
-join
-  pg_roles r on a.grantee = r.oid
-where
-  n.nspname = 'auth'
-  and a.privilege_type = 'CREATE'
-order by
-  r.rolname;

nix/tests/expected/storage.out

@@ -0,0 +1,77 @@
+-- all roles and attributes
+select
+  rolname,
+  rolcreaterole  ,
+  rolcanlogin    ,
+  rolsuper       ,
+  rolinherit     ,
+  rolcreatedb    ,
+  rolreplication ,
+  rolconnlimit   ,
+  rolbypassrls   ,
+  rolvaliduntil
+from pg_roles r
+-- TODO: this exclusion is to maintain compat with pg17, we should cover it
+where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
+order by rolname;
+
+select
+  rolname,
+  rolconfig
+from pg_roles r
+-- TODO: this exclusion is to maintain compat with pg17, we should cover it
+where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
+order by rolname;
+
+-- all role memberships
+select
+    r.rolname as member,
+    g.rolname as "member_of (can become)",
+    m.admin_option
+from
+    pg_roles r
+left join
+    pg_auth_members m on r.oid = m.member
+left join
+    pg_roles g on m.roleid = g.oid
+-- TODO: this exclusion is to maintain compat with pg17, we should cover it
+where r.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
+order by
+    r.rolname, g.rolname;
+
+-- Check all privileges of the roles on the schemas
+select schema_name, privilege_type, grantee, default_for
+from (
+    -- ALTER DEFAULT privileges on schemas
+    select
+        n.nspname as schema_name,
+        a.privilege_type,
+        r.rolname as grantee,
+        d.defaclrole::regrole as default_for,
+        case when n.nspname = 'public' then 0 else 1 end as schema_order
+    from
+        pg_default_acl d
+    join
+        pg_namespace n on d.defaclnamespace = n.oid
+    cross join lateral aclexplode(d.defaclacl) as a
+    join
+        pg_roles r on a.grantee = r.oid
+    where
+        a.privilege_type != 'MAINTAIN' -- TODO: this is to maintain compat with pg17, we should cover it
+    union all
+    -- explicit grant usage and create on the schemas
+    select
+        n.nspname as schema_name,
+        a.privilege_type,
+        r.rolname as grantee,
+        n.nspowner::regrole as default_for,
+        case when n.nspname = 'public' then 0 else 1 end as schema_order
+    from
+        pg_namespace n
+    cross join lateral aclexplode(n.nspacl) as a
+    join
+        pg_roles r on a.grantee = r.oid
+    where
+        a.privilege_type in ('CREATE', 'USAGE')
+) sub
+order by schema_order, schema_name, privilege_type, grantee, default_for;

nix/tests/sql/auth.sql

@@ -9,25 +9,6 @@ join
 where
   n.nspname = 'storage';
 
--- attributes of the supabase_storage_admin
-select
-  rolcreaterole  ,
-  rolcanlogin    ,
-  rolsuper       ,
-  rolinherit     ,
-  rolcreatedb    ,
-  rolreplication ,
-  rolconnlimit   ,
-  rolbypassrls   ,
-  rolvaliduntil
-from pg_roles r
-where r.rolname = 'supabase_storage_admin';
-
-select
-  rolconfig
-from pg_roles r
-where r.rolname = 'supabase_storage_admin';
-
 -- storage schema tables with owners and rls policies
 select
   ns.nspname as schema_name,
@@ -87,35 +68,3 @@ where
   n.nspname = 'storage'
 order by
   p.proname;
-
--- roles which have USAGE on the storage schema
-select
-  n.nspname as schema_name,
-  r.rolname as role_name,
-  a.privilege_type
-from
-  pg_namespace n
-cross join lateral aclexplode(n.nspacl) as a
-join
-  pg_roles r on a.grantee = r.oid
-where
-  n.nspname = 'storage'
-  and a.privilege_type = 'USAGE'
-order by
-  r.rolname;
-
--- roles which have CREATE on the storage schema
-select
-  n.nspname as schema_name,
-  r.rolname as role_name,
-  a.privilege_type
-from
-  pg_namespace n
-cross join lateral aclexplode(n.nspacl) as a
-join
-  pg_roles r on a.grantee = r.oid
-where
-  n.nspname = 'storage'
-  and a.privilege_type = 'CREATE'
-order by
-  r.rolname;