test: regression for storage schema

tests the following aspects:

* storage schema owner
* storage tables with owners and rls policies
* storage functions with owners
* storage indexes with owners
* roles which have USAGE and CREATE on the storage schema
* attributes of the supabase_storage_admin role

Author: steve-chavez

nix/tests/expected/storage.out

@@ -0,0 +1,174 @@
+-- storage schema owner
+select
+  n.nspname as schema_name,
+  r.rolname as owner
+from
+  pg_namespace n
+join
+  pg_roles r on n.nspowner = r.oid
+where
+  n.nspname = 'storage';
+ schema_name |     owner      
+-------------+----------------
+ storage     | supabase_admin
+(1 row)
+
+-- attributes of the supabase_storage_admin
+select
+  rolcreaterole  ,
+  rolcanlogin    ,
+  rolsuper       ,
+  rolinherit     ,
+  rolcreatedb    ,
+  rolreplication ,
+  rolconnlimit   ,
+  rolbypassrls   ,
+  rolvaliduntil
+from pg_roles r
+where r.rolname = 'supabase_storage_admin';
+ rolcreaterole | rolcanlogin | rolsuper | rolinherit | rolcreatedb | rolreplication | rolconnlimit | rolbypassrls | rolvaliduntil 
+---------------+-------------+----------+------------+-------------+----------------+--------------+--------------+---------------
+ t             | t           | f        | f          | f           | f              |           -1 | f            | 
+(1 row)
+
+select
+  rolconfig
+from pg_roles r
+where r.rolname = 'supabase_storage_admin';
+                rolconfig                 
+------------------------------------------
+ {search_path=storage,log_statement=none}
+(1 row)
+
+-- storage schema tables with owners and rls policies
+select
+  ns.nspname as schema_name,
+  c.relname as table_name,
+  r.rolname as owner,
+  c.relrowsecurity as rls_enabled,
+  string_agg(p.polname, ', ' order by p.polname) as rls_policies
+from
+  pg_class c
+join
+  pg_namespace ns on c.relnamespace = ns.oid
+join
+  pg_roles r on c.relowner = r.oid
+left join
+  pg_policy p on p.polrelid = c.oid
+where
+  ns.nspname = 'storage'
+  and c.relkind = 'r'
+group by
+  ns.nspname, c.relname, r.rolname, c.relrowsecurity
+order by
+  c.relname;
+ schema_name | table_name |         owner          | rls_enabled | rls_policies 
+-------------+------------+------------------------+-------------+--------------
+ storage     | buckets    | supabase_storage_admin | f           | 
+ storage     | migrations | supabase_storage_admin | f           | 
+ storage     | objects    | supabase_storage_admin | t           | 
+(3 rows)
+
+-- storage indexes with owners
+select
+  ns.nspname as table_schema,
+  t.relname as table_name,
+  i.relname as index_name,
+  r.rolname as index_owner
+from
+  pg_class t
+join
+  pg_namespace ns on t.relnamespace = ns.oid
+join
+  pg_index idx on t.oid = idx.indrelid
+join
+  pg_class i on idx.indexrelid = i.oid
+join
+  pg_roles r on i.relowner = r.oid
+where
+  ns.nspname = 'storage'
+order by
+  t.relname, i.relname;
+ table_schema | table_name |     index_name      |      index_owner       
+--------------+------------+---------------------+------------------------
+ storage      | buckets    | bname               | supabase_storage_admin
+ storage      | buckets    | buckets_pkey        | supabase_storage_admin
+ storage      | migrations | migrations_name_key | supabase_storage_admin
+ storage      | migrations | migrations_pkey     | supabase_storage_admin
+ storage      | objects    | bucketid_objname    | supabase_storage_admin
+ storage      | objects    | name_prefix_search  | supabase_storage_admin
+ storage      | objects    | objects_pkey        | supabase_storage_admin
+(7 rows)
+
+-- storage schema functions with owners
+select
+  n.nspname as schema_name,
+  p.proname as function_name,
+  r.rolname as owner
+from
+  pg_proc p
+join
+  pg_namespace n on p.pronamespace = n.oid
+join
+  pg_roles r on p.proowner = r.oid
+where
+  n.nspname = 'storage'
+order by
+  p.proname;
+ schema_name | function_name |         owner          
+-------------+---------------+------------------------
+ storage     | extension     | supabase_storage_admin
+ storage     | filename      | supabase_storage_admin
+ storage     | foldername    | supabase_storage_admin
+ storage     | search        | supabase_storage_admin
+(4 rows)
+
+-- roles which have USAGE on the storage schema
+select
+  n.nspname as schema_name,
+  r.rolname as role_name,
+  a.privilege_type
+from
+  pg_namespace n
+cross join lateral aclexplode(n.nspacl) as a
+join
+  pg_roles r on a.grantee = r.oid
+where
+  n.nspname = 'storage'
+  and a.privilege_type = 'USAGE'
+order by
+  r.rolname;
+ schema_name |       role_name        | privilege_type 
+-------------+------------------------+----------------
+ storage     | anon                   | USAGE
+ storage     | authenticated          | USAGE
+ storage     | dashboard_user         | USAGE
+ storage     | postgres               | USAGE
+ storage     | service_role           | USAGE
+ storage     | supabase_admin         | USAGE
+ storage     | supabase_storage_admin | USAGE
+(7 rows)
+
+-- roles which have CREATE on the storage schema
+select
+  n.nspname as schema_name,
+  r.rolname as role_name,
+  a.privilege_type
+from
+  pg_namespace n
+cross join lateral aclexplode(n.nspacl) as a
+join
+  pg_roles r on a.grantee = r.oid
+where
+  n.nspname = 'storage'
+  and a.privilege_type = 'CREATE'
+order by
+  r.rolname;
+ schema_name |       role_name        | privilege_type 
+-------------+------------------------+----------------
+ storage     | dashboard_user         | CREATE
+ storage     | postgres               | CREATE
+ storage     | supabase_admin         | CREATE
+ storage     | supabase_storage_admin | CREATE
+(4 rows)
+

nix/tests/sql/storage.sql

@@ -0,0 +1,121 @@
+-- storage schema owner
+select
+  n.nspname as schema_name,
+  r.rolname as owner
+from
+  pg_namespace n
+join
+  pg_roles r on n.nspowner = r.oid
+where
+  n.nspname = 'storage';
+
+-- attributes of the supabase_storage_admin
+select
+  rolcreaterole  ,
+  rolcanlogin    ,
+  rolsuper       ,
+  rolinherit     ,
+  rolcreatedb    ,
+  rolreplication ,
+  rolconnlimit   ,
+  rolbypassrls   ,
+  rolvaliduntil
+from pg_roles r
+where r.rolname = 'supabase_storage_admin';
+
+select
+  rolconfig
+from pg_roles r
+where r.rolname = 'supabase_storage_admin';
+
+-- storage schema tables with owners and rls policies
+select
+  ns.nspname as schema_name,
+  c.relname as table_name,
+  r.rolname as owner,
+  c.relrowsecurity as rls_enabled,
+  string_agg(p.polname, ', ' order by p.polname) as rls_policies
+from
+  pg_class c
+join
+  pg_namespace ns on c.relnamespace = ns.oid
+join
+  pg_roles r on c.relowner = r.oid
+left join
+  pg_policy p on p.polrelid = c.oid
+where
+  ns.nspname = 'storage'
+  and c.relkind = 'r'
+group by
+  ns.nspname, c.relname, r.rolname, c.relrowsecurity
+order by
+  c.relname;
+
+-- storage indexes with owners
+select
+  ns.nspname as table_schema,
+  t.relname as table_name,
+  i.relname as index_name,
+  r.rolname as index_owner
+from
+  pg_class t
+join
+  pg_namespace ns on t.relnamespace = ns.oid
+join
+  pg_index idx on t.oid = idx.indrelid
+join
+  pg_class i on idx.indexrelid = i.oid
+join
+  pg_roles r on i.relowner = r.oid
+where
+  ns.nspname = 'storage'
+order by
+  t.relname, i.relname;
+
+-- storage schema functions with owners
+select
+  n.nspname as schema_name,
+  p.proname as function_name,
+  r.rolname as owner
+from
+  pg_proc p
+join
+  pg_namespace n on p.pronamespace = n.oid
+join
+  pg_roles r on p.proowner = r.oid
+where
+  n.nspname = 'storage'
+order by
+  p.proname;
+
+-- roles which have USAGE on the storage schema
+select
+  n.nspname as schema_name,
+  r.rolname as role_name,
+  a.privilege_type
+from
+  pg_namespace n
+cross join lateral aclexplode(n.nspacl) as a
+join
+  pg_roles r on a.grantee = r.oid
+where
+  n.nspname = 'storage'
+  and a.privilege_type = 'USAGE'
+order by
+  r.rolname;
+
+-- roles which have CREATE on the storage schema
+select
+  n.nspname as schema_name,
+  r.rolname as role_name,
+  a.privilege_type
+from
+  pg_namespace n
+cross join lateral aclexplode(n.nspacl) as a
+join
+  pg_roles r on a.grantee = r.oid
+where
+  n.nspname = 'storage'
+  and a.privilege_type = 'CREATE'
+order by
+  r.rolname;