Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test: roles privileges, memberships, attributes #1521

Merged
merged 1 commit into from
Apr 4, 2025
Merged

test: roles privileges, memberships, attributes #1521

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions migrations/db/init-scripts/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@

The effects of these migrations are tested on:

- [nix/tests/sql/auth.out](../../../nix/tests/expected/auth.out)
- [nix/tests/sql/storage.out](../../../nix/tests/expected/storage.out)
- [nix/tests/sql/roles.out](../../../nix/tests/expected/roles.out)
- [nix/tests/sql/evtrigs.out](../../../nix/tests/expected/evtrigs.out)
76 changes: 0 additions & 76 deletions nix/tests/expected/auth.out
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,33 +13,6 @@ where
auth | supabase_admin
(1 row)

-- attributes of the supabase_auth_admin
select
rolcreaterole ,
rolcanlogin ,
rolsuper ,
rolinherit ,
rolcreatedb ,
rolreplication ,
rolconnlimit ,
rolbypassrls ,
rolvaliduntil
from pg_roles r
where r.rolname = 'supabase_auth_admin';
rolcreaterole | rolcanlogin | rolsuper | rolinherit | rolcreatedb | rolreplication | rolconnlimit | rolbypassrls | rolvaliduntil
---------------+-------------+----------+------------+-------------+----------------+--------------+--------------+---------------
t | t | f | f | f | f | -1 | f |
(1 row)

select
rolconfig
from pg_roles r
where r.rolname = 'supabase_auth_admin';
rolconfig
---------------------------------------------------------------------------------
{search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none}
(1 row)

-- auth schema tables with owners and rls policies
select
ns.nspname as schema_name,
Expand Down Expand Up @@ -129,52 +102,3 @@ order by
auth | uid | supabase_auth_admin
(3 rows)

-- roles which have USAGE on the auth schema
select
n.nspname as schema_name,
r.rolname as role_name,
a.privilege_type
from
pg_namespace n
cross join lateral aclexplode(n.nspacl) as a
join
pg_roles r on a.grantee = r.oid
where
n.nspname = 'auth'
and a.privilege_type = 'USAGE'
order by
r.rolname;
schema_name | role_name | privilege_type
-------------+---------------------+----------------
auth | anon | USAGE
auth | authenticated | USAGE
auth | dashboard_user | USAGE
auth | postgres | USAGE
auth | service_role | USAGE
auth | supabase_admin | USAGE
auth | supabase_auth_admin | USAGE
(7 rows)

-- roles which have CREATE on the auth schema
select
n.nspname as schema_name,
r.rolname as role_name,
a.privilege_type
from
pg_namespace n
cross join lateral aclexplode(n.nspacl) as a
join
pg_roles r on a.grantee = r.oid
where
n.nspname = 'auth'
and a.privilege_type = 'CREATE'
order by
r.rolname;
schema_name | role_name | privilege_type
-------------+---------------------+----------------
auth | dashboard_user | CREATE
auth | postgres | CREATE
auth | supabase_admin | CREATE
auth | supabase_auth_admin | CREATE
(4 rows)

12 changes: 0 additions & 12 deletions nix/tests/expected/default_privs.out
View file
Open in desktop

This file was deleted.

580 changes: 580 additions & 0 deletions nix/tests/expected/roles.out
View file
Open in desktop

Large diffs are not rendered by default.

76 changes: 0 additions & 76 deletions nix/tests/expected/storage.out
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,33 +13,6 @@ where
storage | supabase_admin
(1 row)

-- attributes of the supabase_storage_admin
select
rolcreaterole ,
rolcanlogin ,
rolsuper ,
rolinherit ,
rolcreatedb ,
rolreplication ,
rolconnlimit ,
rolbypassrls ,
rolvaliduntil
from pg_roles r
where r.rolname = 'supabase_storage_admin';
rolcreaterole | rolcanlogin | rolsuper | rolinherit | rolcreatedb | rolreplication | rolconnlimit | rolbypassrls | rolvaliduntil
---------------+-------------+----------+------------+-------------+----------------+--------------+--------------+---------------
t | t | f | f | f | f | -1 | f |
(1 row)

select
rolconfig
from pg_roles r
where r.rolname = 'supabase_storage_admin';
rolconfig
------------------------------------------
{search_path=storage,log_statement=none}
(1 row)

-- storage schema tables with owners and rls policies
select
ns.nspname as schema_name,
Expand Down Expand Up @@ -123,52 +96,3 @@ order by
storage | search | supabase_storage_admin
(4 rows)

-- roles which have USAGE on the storage schema
select
n.nspname as schema_name,
r.rolname as role_name,
a.privilege_type
from
pg_namespace n
cross join lateral aclexplode(n.nspacl) as a
join
pg_roles r on a.grantee = r.oid
where
n.nspname = 'storage'
and a.privilege_type = 'USAGE'
order by
r.rolname;
schema_name | role_name | privilege_type
-------------+------------------------+----------------
storage | anon | USAGE
storage | authenticated | USAGE
storage | dashboard_user | USAGE
storage | postgres | USAGE
storage | service_role | USAGE
storage | supabase_admin | USAGE
storage | supabase_storage_admin | USAGE
(7 rows)

-- roles which have CREATE on the storage schema
select
n.nspname as schema_name,
r.rolname as role_name,
a.privilege_type
from
pg_namespace n
cross join lateral aclexplode(n.nspacl) as a
join
pg_roles r on a.grantee = r.oid
where
n.nspname = 'storage'
and a.privilege_type = 'CREATE'
order by
r.rolname;
schema_name | role_name | privilege_type
-------------+------------------------+----------------
storage | dashboard_user | CREATE
storage | postgres | CREATE
storage | supabase_admin | CREATE
storage | supabase_storage_admin | CREATE
(4 rows)

51 changes: 0 additions & 51 deletions nix/tests/sql/auth.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,25 +9,6 @@ join
where
n.nspname = 'auth';

-- attributes of the supabase_auth_admin
select
rolcreaterole ,
rolcanlogin ,
rolsuper ,
rolinherit ,
rolcreatedb ,
rolreplication ,
rolconnlimit ,
rolbypassrls ,
rolvaliduntil
from pg_roles r
where r.rolname = 'supabase_auth_admin';

select
rolconfig
from pg_roles r
where r.rolname = 'supabase_auth_admin';

-- auth schema tables with owners and rls policies
select
ns.nspname as schema_name,
Expand Down Expand Up @@ -87,35 +68,3 @@ where
n.nspname = 'auth'
order by
p.proname;

-- roles which have USAGE on the auth schema
select
n.nspname as schema_name,
r.rolname as role_name,
a.privilege_type
from
pg_namespace n
cross join lateral aclexplode(n.nspacl) as a
join
pg_roles r on a.grantee = r.oid
where
n.nspname = 'auth'
and a.privilege_type = 'USAGE'
order by
r.rolname;

-- roles which have CREATE on the auth schema
select
n.nspname as schema_name,
r.rolname as role_name,
a.privilege_type
from
pg_namespace n
cross join lateral aclexplode(n.nspacl) as a
join
pg_roles r on a.grantee = r.oid
where
n.nspname = 'auth'
and a.privilege_type = 'CREATE'
order by
r.rolname;
2 changes: 0 additions & 2 deletions nix/tests/sql/default_privs.sql
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was this deleted?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That file was just renamed, new one has much more data tested.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just see the new query

https://github.com/supabase/postgres/blob/regress-roles/nix/tests/expected/roles.out#L151-L186

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I should also add that I added this deleted file in #1496

This file was deleted.

77 changes: 77 additions & 0 deletions nix/tests/sql/roles.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
-- all roles and attributes
select
rolname,
rolcreaterole ,
rolcanlogin ,
rolsuper ,
rolinherit ,
rolcreatedb ,
rolreplication ,
rolconnlimit ,
rolbypassrls ,
rolvaliduntil
from pg_roles r
-- TODO: this exclusion is to maintain compat with pg17, we should cover it
where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
order by rolname;

select
rolname,
rolconfig
from pg_roles r
-- TODO: this exclusion is to maintain compat with pg17, we should cover it
where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
order by rolname;

-- all role memberships
select
r.rolname as member,
g.rolname as "member_of (can become)",
m.admin_option
from
pg_roles r
left join
pg_auth_members m on r.oid = m.member
left join
pg_roles g on m.roleid = g.oid
-- TODO: this exclusion is to maintain compat with pg17, we should cover it
where r.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
order by
r.rolname, g.rolname;

-- Check all privileges of the roles on the schemas
select schema_name, privilege_type, grantee, default_for
from (
-- ALTER DEFAULT privileges on schemas
select
n.nspname as schema_name,
a.privilege_type,
r.rolname as grantee,
d.defaclrole::regrole as default_for,
case when n.nspname = 'public' then 0 else 1 end as schema_order
from
pg_default_acl d
join
pg_namespace n on d.defaclnamespace = n.oid
cross join lateral aclexplode(d.defaclacl) as a
join
pg_roles r on a.grantee = r.oid
where
a.privilege_type != 'MAINTAIN' -- TODO: this is to maintain compat with pg17, we should cover it
union all
-- explicit grant usage and create on the schemas
select
n.nspname as schema_name,
a.privilege_type,
r.rolname as grantee,
n.nspowner::regrole as default_for,
case when n.nspname = 'public' then 0 else 1 end as schema_order
from
pg_namespace n
cross join lateral aclexplode(n.nspacl) as a
join
pg_roles r on a.grantee = r.oid
where
a.privilege_type in ('CREATE', 'USAGE')
) sub
order by schema_order, schema_name, privilege_type, grantee, default_for;
51 changes: 0 additions & 51 deletions nix/tests/sql/storage.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,25 +9,6 @@ join
where
n.nspname = 'storage';

-- attributes of the supabase_storage_admin
select
rolcreaterole ,
rolcanlogin ,
rolsuper ,
rolinherit ,
rolcreatedb ,
rolreplication ,
rolconnlimit ,
rolbypassrls ,
rolvaliduntil
from pg_roles r
where r.rolname = 'supabase_storage_admin';

select
rolconfig
from pg_roles r
where r.rolname = 'supabase_storage_admin';

-- storage schema tables with owners and rls policies
select
ns.nspname as schema_name,
Expand Down Expand Up @@ -87,35 +68,3 @@ where
n.nspname = 'storage'
order by
p.proname;

-- roles which have USAGE on the storage schema
select
n.nspname as schema_name,
r.rolname as role_name,
a.privilege_type
from
pg_namespace n
cross join lateral aclexplode(n.nspacl) as a
join
pg_roles r on a.grantee = r.oid
where
n.nspname = 'storage'
and a.privilege_type = 'USAGE'
order by
r.rolname;

-- roles which have CREATE on the storage schema
select
n.nspname as schema_name,
r.rolname as role_name,
a.privilege_type
from
pg_namespace n
cross join lateral aclexplode(n.nspacl) as a
join
pg_roles r on a.grantee = r.oid
where
n.nspname = 'storage'
and a.privilege_type = 'CREATE'
order by
r.rolname;