diff --git a/ansible/vars.yml b/ansible/vars.yml index 630bdee62..730c51098 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -9,9 +9,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.0.1.59-orioledb" - postgres17: "17.4.1.009" - postgres15: "15.8.1.066" + postgresorioledb-17: "17.0.1.56-orioledb-evttrig-4" + postgres17: "17.4.1.006-evttrig-4" + postgres15: "15.8.1.063-evttrig-4" # Non Postgres Extensions pgbouncer_release: "1.19.0" diff --git a/migrations/db/migrations/20231020085357_revoke_writes_on_cron_job_from_postgres.sql b/migrations/db/migrations/20231020085357_revoke_writes_on_cron_job_from_postgres.sql index 25b827110..d4da7f6d5 100644 --- a/migrations/db/migrations/20231020085357_revoke_writes_on_cron_job_from_postgres.sql +++ b/migrations/db/migrations/20231020085357_revoke_writes_on_cron_job_from_postgres.sql @@ -38,6 +38,7 @@ BEGIN END IF; END; $$; +alter function extensions.grant_pg_cron_access owner to supabase_admin; drop event trigger if exists issue_pg_cron_access; CREATE EVENT TRIGGER issue_pg_cron_access ON ddl_command_end diff --git a/migrations/db/migrations/20250402065937_alter_internal_event_triggers_owner_to_supabase_admin.sql b/migrations/db/migrations/20250402065937_alter_internal_event_triggers_owner_to_supabase_admin.sql new file mode 100644 index 000000000..7fa1a414f --- /dev/null +++ b/migrations/db/migrations/20250402065937_alter_internal_event_triggers_owner_to_supabase_admin.sql @@ -0,0 +1,95 @@ +-- migrate:up +drop event trigger if exists issue_pg_cron_access; +drop event trigger if exists issue_pg_net_access; +drop function if exists extensions.grant_pg_cron_access; +drop function if exists extensions.grant_pg_net_access; + +CREATE OR REPLACE FUNCTION extensions.grant_pg_cron_access() + RETURNS event_trigger + LANGUAGE plpgsql +AS $function$ +BEGIN + IF EXISTS ( + SELECT + FROM pg_event_trigger_ddl_commands() AS ev + JOIN pg_extension AS ext + ON ev.objid = ext.oid + WHERE ext.extname = 'pg_cron' + ) + THEN + grant usage on schema cron to postgres with grant option; + + alter default privileges in schema cron grant all on tables to postgres with grant option; + alter default privileges in schema cron grant all on functions to postgres with grant option; + alter default privileges in schema cron grant all on sequences to postgres with grant option; + + alter default privileges for user supabase_admin in schema cron grant all + on sequences to postgres with grant option; + alter default privileges for user supabase_admin in schema cron grant all + on tables to postgres with grant option; + alter default privileges for user supabase_admin in schema cron grant all + on functions to postgres with grant option; + + grant all privileges on all tables in schema cron to postgres with grant option; + revoke all on table cron.job from postgres; + grant select on table cron.job to postgres with grant option; + END IF; +END; +$function$; + +CREATE OR REPLACE FUNCTION extensions.grant_pg_net_access() + RETURNS event_trigger + LANGUAGE plpgsql +AS $function$ +BEGIN + IF EXISTS ( + SELECT 1 + FROM pg_event_trigger_ddl_commands() AS ev + JOIN pg_extension AS ext + ON ev.objid = ext.oid + WHERE ext.extname = 'pg_net' + ) + THEN + IF NOT EXISTS ( + SELECT 1 + FROM pg_roles + WHERE rolname = 'supabase_functions_admin' + ) + THEN + CREATE USER supabase_functions_admin NOINHERIT CREATEROLE LOGIN NOREPLICATION; + END IF; + + GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres, anon, authenticated, service_role; + + IF EXISTS ( + SELECT FROM pg_extension + WHERE extname = 'pg_net' + -- all versions in use on existing projects as of 2025-02-20 + -- version 0.12.0 onwards don't need these applied + AND extversion IN ('0.2', '0.6', '0.7', '0.7.1', '0.8', '0.10.0', '0.11.0') + ) THEN + ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER; + ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER; + + ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net; + ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net; + + REVOKE ALL ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC; + REVOKE ALL ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC; + + GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role; + GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role; + END IF; + END IF; +END; +$function$; + +CREATE EVENT TRIGGER issue_pg_cron_access ON ddl_command_end + WHEN TAG IN ('CREATE EXTENSION') + EXECUTE FUNCTION extensions.grant_pg_cron_access(); + +CREATE EVENT TRIGGER issue_pg_net_access ON ddl_command_end + WHEN TAG IN ('CREATE EXTENSION') + EXECUTE FUNCTION extensions.grant_pg_net_access(); + +-- migrate:down diff --git a/nix/ext/supautils.nix b/nix/ext/supautils.nix index f3f5f1482..8cb55f47f 100644 --- a/nix/ext/supautils.nix +++ b/nix/ext/supautils.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { pname = "supautils"; - version = "2.6.0"; + version = "2.7.3"; buildInputs = [ postgresql ]; @@ -10,13 +10,13 @@ stdenv.mkDerivation rec { owner = "supabase"; repo = pname; rev = "refs/tags/v${version}"; - hash = "sha256-QNfUpQjqHNzbNqBvjb5a3GtNH9hjbBMDUK19xUU3LpI="; + hash = "sha256-QKQQUz6ObzqINTLZaMQtocOkYX0Rh61fBLoB+rZ64UM="; }; installPhase = '' mkdir -p $out/lib - install -D *${postgresql.dlSuffix} -t $out/lib + install -D build/*${postgresql.dlSuffix} -t $out/lib ''; meta = with lib; {