Skip to content

test: regression for storage schema #1517

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Apr 3, 2025
Merged

test: regression for storage schema #1517

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b1624a9
test: regress policies on auth tables
steve-chavez Apr 2, 2025
54aee1e
test: regression for storage schema
steve-chavez Apr 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 19 additions & 13 deletions nix/tests/expected/auth.out
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,29 +40,35 @@ where r.rolname = 'supabase_auth_admin';
{search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none}
(1 row)

-- auth schema tables with owners
-- auth schema tables with owners and rls policies
select
n.nspname as schema_name,
ns.nspname as schema_name,
c.relname as table_name,
r.rolname as owner
r.rolname as owner,
c.relrowsecurity as rls_enabled,
string_agg(p.polname, ', ' order by p.polname) as rls_policies
from
pg_class c
join
pg_namespace n on c.relnamespace = n.oid
pg_namespace ns on c.relnamespace = ns.oid
join
pg_roles r on c.relowner = r.oid
left join
pg_policy p on p.polrelid = c.oid
where
c.relkind in ('r') -- 'r' for regular tables
and n.nspname = 'auth'
ns.nspname = 'auth'
and c.relkind = 'r'
group by
ns.nspname, c.relname, r.rolname, c.relrowsecurity
order by
c.relname;
schema_name | table_name | owner
-------------+-------------------+---------------------
auth | audit_log_entries | supabase_auth_admin
auth | instances | supabase_auth_admin
auth | refresh_tokens | supabase_auth_admin
auth | schema_migrations | supabase_auth_admin
auth | users | supabase_auth_admin
schema_name | table_name | owner | rls_enabled | rls_policies
-------------+-------------------+---------------------+-------------+--------------
auth | audit_log_entries | supabase_auth_admin | f |
auth | instances | supabase_auth_admin | f |
auth | refresh_tokens | supabase_auth_admin | f |
auth | schema_migrations | supabase_auth_admin | f |
auth | users | supabase_auth_admin | f |
(5 rows)

-- auth indexes with owners
Expand Down
174 changes: 174 additions & 0 deletions nix/tests/expected/storage.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,174 @@
-- storage schema owner
select
n.nspname as schema_name,
r.rolname as owner
from
pg_namespace n
join
pg_roles r on n.nspowner = r.oid
where
n.nspname = 'storage';
schema_name | owner
-------------+----------------
storage | supabase_admin
(1 row)

-- attributes of the supabase_storage_admin
select
rolcreaterole ,
rolcanlogin ,
rolsuper ,
rolinherit ,
rolcreatedb ,
rolreplication ,
rolconnlimit ,
rolbypassrls ,
rolvaliduntil
from pg_roles r
where r.rolname = 'supabase_storage_admin';
rolcreaterole | rolcanlogin | rolsuper | rolinherit | rolcreatedb | rolreplication | rolconnlimit | rolbypassrls | rolvaliduntil
---------------+-------------+----------+------------+-------------+----------------+--------------+--------------+---------------
t | t | f | f | f | f | -1 | f |
(1 row)

select
rolconfig
from pg_roles r
where r.rolname = 'supabase_storage_admin';
rolconfig
------------------------------------------
{search_path=storage,log_statement=none}
(1 row)

-- storage schema tables with owners and rls policies
select
ns.nspname as schema_name,
c.relname as table_name,
r.rolname as owner,
c.relrowsecurity as rls_enabled,
string_agg(p.polname, ', ' order by p.polname) as rls_policies
from
pg_class c
join
pg_namespace ns on c.relnamespace = ns.oid
join
pg_roles r on c.relowner = r.oid
left join
pg_policy p on p.polrelid = c.oid
where
ns.nspname = 'storage'
and c.relkind = 'r'
group by
ns.nspname, c.relname, r.rolname, c.relrowsecurity
order by
c.relname;
schema_name | table_name | owner | rls_enabled | rls_policies
-------------+------------+------------------------+-------------+--------------
storage | buckets | supabase_storage_admin | f |
storage | migrations | supabase_storage_admin | f |
storage | objects | supabase_storage_admin | t |
(3 rows)

-- storage indexes with owners
select
ns.nspname as table_schema,
t.relname as table_name,
i.relname as index_name,
r.rolname as index_owner
from
pg_class t
join
pg_namespace ns on t.relnamespace = ns.oid
join
pg_index idx on t.oid = idx.indrelid
join
pg_class i on idx.indexrelid = i.oid
join
pg_roles r on i.relowner = r.oid
where
ns.nspname = 'storage'
order by
t.relname, i.relname;
table_schema | table_name | index_name | index_owner
--------------+------------+---------------------+------------------------
storage | buckets | bname | supabase_storage_admin
storage | buckets | buckets_pkey | supabase_storage_admin
storage | migrations | migrations_name_key | supabase_storage_admin
storage | migrations | migrations_pkey | supabase_storage_admin
storage | objects | bucketid_objname | supabase_storage_admin
storage | objects | name_prefix_search | supabase_storage_admin
storage | objects | objects_pkey | supabase_storage_admin
(7 rows)

-- storage schema functions with owners
select
n.nspname as schema_name,
p.proname as function_name,
r.rolname as owner
from
pg_proc p
join
pg_namespace n on p.pronamespace = n.oid
join
pg_roles r on p.proowner = r.oid
where
n.nspname = 'storage'
order by
p.proname;
schema_name | function_name | owner
-------------+---------------+------------------------
storage | extension | supabase_storage_admin
storage | filename | supabase_storage_admin
storage | foldername | supabase_storage_admin
storage | search | supabase_storage_admin
(4 rows)

-- roles which have USAGE on the storage schema
select
n.nspname as schema_name,
r.rolname as role_name,
a.privilege_type
from
pg_namespace n
cross join lateral aclexplode(n.nspacl) as a
join
pg_roles r on a.grantee = r.oid
where
n.nspname = 'storage'
and a.privilege_type = 'USAGE'
order by
r.rolname;
schema_name | role_name | privilege_type
-------------+------------------------+----------------
storage | anon | USAGE
storage | authenticated | USAGE
storage | dashboard_user | USAGE
storage | postgres | USAGE
storage | service_role | USAGE
storage | supabase_admin | USAGE
storage | supabase_storage_admin | USAGE
(7 rows)

-- roles which have CREATE on the storage schema
select
n.nspname as schema_name,
r.rolname as role_name,
a.privilege_type
from
pg_namespace n
cross join lateral aclexplode(n.nspacl) as a
join
pg_roles r on a.grantee = r.oid
where
n.nspname = 'storage'
and a.privilege_type = 'CREATE'
order by
r.rolname;
schema_name | role_name | privilege_type
-------------+------------------------+----------------
storage | dashboard_user | CREATE
storage | postgres | CREATE
storage | supabase_admin | CREATE
storage | supabase_storage_admin | CREATE
(4 rows)

18 changes: 12 additions & 6 deletions nix/tests/sql/auth.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,20 +28,26 @@ select
from pg_roles r
where r.rolname = 'supabase_auth_admin';

-- auth schema tables with owners
-- auth schema tables with owners and rls policies
select
n.nspname as schema_name,
ns.nspname as schema_name,
c.relname as table_name,
r.rolname as owner
r.rolname as owner,
c.relrowsecurity as rls_enabled,
string_agg(p.polname, ', ' order by p.polname) as rls_policies
from
pg_class c
join
pg_namespace n on c.relnamespace = n.oid
pg_namespace ns on c.relnamespace = ns.oid
join
pg_roles r on c.relowner = r.oid
left join
pg_policy p on p.polrelid = c.oid
where
c.relkind in ('r') -- 'r' for regular tables
and n.nspname = 'auth'
ns.nspname = 'auth'
and c.relkind = 'r'
group by
ns.nspname, c.relname, r.rolname, c.relrowsecurity
order by
c.relname;

Expand Down
121 changes: 121 additions & 0 deletions nix/tests/sql/storage.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
-- storage schema owner
select
n.nspname as schema_name,
r.rolname as owner
from
pg_namespace n
join
pg_roles r on n.nspowner = r.oid
where
n.nspname = 'storage';

-- attributes of the supabase_storage_admin
select
rolcreaterole ,
rolcanlogin ,
rolsuper ,
rolinherit ,
rolcreatedb ,
rolreplication ,
rolconnlimit ,
rolbypassrls ,
rolvaliduntil
from pg_roles r
where r.rolname = 'supabase_storage_admin';

select
rolconfig
from pg_roles r
where r.rolname = 'supabase_storage_admin';

-- storage schema tables with owners and rls policies
select
ns.nspname as schema_name,
c.relname as table_name,
r.rolname as owner,
c.relrowsecurity as rls_enabled,
string_agg(p.polname, ', ' order by p.polname) as rls_policies
from
pg_class c
join
pg_namespace ns on c.relnamespace = ns.oid
join
pg_roles r on c.relowner = r.oid
left join
pg_policy p on p.polrelid = c.oid
where
ns.nspname = 'storage'
and c.relkind = 'r'
group by
ns.nspname, c.relname, r.rolname, c.relrowsecurity
order by
c.relname;

-- storage indexes with owners
select
ns.nspname as table_schema,
t.relname as table_name,
i.relname as index_name,
r.rolname as index_owner
from
pg_class t
join
pg_namespace ns on t.relnamespace = ns.oid
join
pg_index idx on t.oid = idx.indrelid
join
pg_class i on idx.indexrelid = i.oid
join
pg_roles r on i.relowner = r.oid
where
ns.nspname = 'storage'
order by
t.relname, i.relname;

-- storage schema functions with owners
select
n.nspname as schema_name,
p.proname as function_name,
r.rolname as owner
from
pg_proc p
join
pg_namespace n on p.pronamespace = n.oid
join
pg_roles r on p.proowner = r.oid
where
n.nspname = 'storage'
order by
p.proname;

-- roles which have USAGE on the storage schema
select
n.nspname as schema_name,
r.rolname as role_name,
a.privilege_type
from
pg_namespace n
cross join lateral aclexplode(n.nspacl) as a
join
pg_roles r on a.grantee = r.oid
where
n.nspname = 'storage'
and a.privilege_type = 'USAGE'
order by
r.rolname;

-- roles which have CREATE on the storage schema
select
n.nspname as schema_name,
r.rolname as role_name,
a.privilege_type
from
pg_namespace n
cross join lateral aclexplode(n.nspacl) as a
join
pg_roles r on a.grantee = r.oid
where
n.nspname = 'storage'
and a.privilege_type = 'CREATE'
order by
r.rolname;