From a4be80b95b976dd87e66f91a53848c08d559335f Mon Sep 17 00:00:00 2001 From: Kang Ming Date: Fri, 18 Apr 2025 03:08:55 +0800 Subject: [PATCH 1/7] fix: update pgbouncer.get_auth --- ...250417190610_update_pgbouncer_get_auth.sql | 24 +++++++ migrations/schema-15.sql | 67 ++++++++++++++++--- migrations/schema-17.sql | 67 ++++++++++++++++--- migrations/schema-orioledb-17.sql | 67 ++++++++++++++++--- 4 files changed, 198 insertions(+), 27 deletions(-) create mode 100644 migrations/db/migrations/20250417190610_update_pgbouncer_get_auth.sql diff --git a/migrations/db/migrations/20250417190610_update_pgbouncer_get_auth.sql b/migrations/db/migrations/20250417190610_update_pgbouncer_get_auth.sql new file mode 100644 index 000000000..5e6e6a582 --- /dev/null +++ b/migrations/db/migrations/20250417190610_update_pgbouncer_get_auth.sql @@ -0,0 +1,24 @@ +-- migrate:up + +create or replace function pgbouncer.get_auth(p_usename text) returns table (username text, password text) + language plpgsql security definer + as $$ +begin + raise debug 'PgBouncer auth request: %', p_usename; + + return query + select + rolname::text, + case when rolvaliduntil < now() + then null + else rolpassword::text + end + from pg_authid + where rolname=$1 and rolcanlogin; +end; +$$; + +-- from migrations/db/migrations/20250312095419_pgbouncer_ownership.sql +grant execute on function pgbouncer.get_auth(p_usename text) to postgres; + +-- migrate:down diff --git a/migrations/schema-15.sql b/migrations/schema-15.sql index 802fbae79..9c423c514 100644 --- a/migrations/schema-15.sql +++ b/migrations/schema-15.sql @@ -483,15 +483,21 @@ COMMENT ON FUNCTION extensions.set_graphql_placeholder() IS 'Reintroduces placeh CREATE FUNCTION pgbouncer.get_auth(p_usename text) RETURNS TABLE(username text, password text) LANGUAGE plpgsql SECURITY DEFINER - AS $$ -BEGIN - RAISE WARNING 'PgBouncer auth request: %', p_usename; - - RETURN QUERY - SELECT usename::TEXT, passwd::TEXT FROM pg_catalog.pg_shadow - WHERE usename = p_usename; -END; -$$; + AS $_$ +begin + raise debug 'PgBouncer auth request: %', p_usename; + + return query + select + rolname::text, + case when rolvaliduntil < now() + then null + else rolpassword::text + end + from pg_authid + where rolname=$1 and rolcanlogin; +end; +$_$; -- @@ -1003,3 +1009,46 @@ CREATE EVENT TRIGGER pgrst_drop_watch ON sql_drop -- Dbmate schema migrations -- +INSERT INTO public.schema_migrations (version) VALUES + ('00000000000000'), + ('00000000000001'), + ('00000000000002'), + ('00000000000003'), + ('10000000000000'), + ('20211115181400'), + ('20211118015519'), + ('20211122051245'), + ('20211124212715'), + ('20211130151719'), + ('20220118070449'), + ('20220126121436'), + ('20220224211803'), + ('20220317095840'), + ('20220321174452'), + ('20220322085208'), + ('20220404205710'), + ('20220609081115'), + ('20220613123923'), + ('20220713082019'), + ('20221028101028'), + ('20221103090837'), + ('20221207154255'), + ('20230201083204'), + ('20230224042246'), + ('20230306081037'), + ('20230327032006'), + ('20230529180330'), + ('20231013070755'), + ('20231017062225'), + ('20231020085357'), + ('20231130133139'), + ('20240124080435'), + ('20240606060239'), + ('20241031003909'), + ('20241215003910'), + ('20250205060043'), + ('20250205144616'), + ('20250218031949'), + ('20250220051611'), + ('20250312095419'), + ('20250417190610'); diff --git a/migrations/schema-17.sql b/migrations/schema-17.sql index eac1280b1..436ce7faf 100644 --- a/migrations/schema-17.sql +++ b/migrations/schema-17.sql @@ -470,15 +470,21 @@ COMMENT ON FUNCTION extensions.set_graphql_placeholder() IS 'Reintroduces placeh CREATE FUNCTION pgbouncer.get_auth(p_usename text) RETURNS TABLE(username text, password text) LANGUAGE plpgsql SECURITY DEFINER - AS $$ -BEGIN - RAISE WARNING 'PgBouncer auth request: %', p_usename; - - RETURN QUERY - SELECT usename::TEXT, passwd::TEXT FROM pg_catalog.pg_shadow - WHERE usename = p_usename; -END; -$$; + AS $_$ +begin + raise debug 'PgBouncer auth request: %', p_usename; + + return query + select + rolname::text, + case when rolvaliduntil < now() + then null + else rolpassword::text + end + from pg_authid + where rolname=$1 and rolcanlogin; +end; +$_$; -- @@ -990,3 +996,46 @@ CREATE EVENT TRIGGER pgrst_drop_watch ON sql_drop -- Dbmate schema migrations -- +INSERT INTO public.schema_migrations (version) VALUES + ('00000000000000'), + ('00000000000001'), + ('00000000000002'), + ('00000000000003'), + ('10000000000000'), + ('20211115181400'), + ('20211118015519'), + ('20211122051245'), + ('20211124212715'), + ('20211130151719'), + ('20220118070449'), + ('20220126121436'), + ('20220224211803'), + ('20220317095840'), + ('20220321174452'), + ('20220322085208'), + ('20220404205710'), + ('20220609081115'), + ('20220613123923'), + ('20220713082019'), + ('20221028101028'), + ('20221103090837'), + ('20221207154255'), + ('20230201083204'), + ('20230224042246'), + ('20230306081037'), + ('20230327032006'), + ('20230529180330'), + ('20231013070755'), + ('20231017062225'), + ('20231020085357'), + ('20231130133139'), + ('20240124080435'), + ('20240606060239'), + ('20241031003909'), + ('20241215003910'), + ('20250205060043'), + ('20250205144616'), + ('20250218031949'), + ('20250220051611'), + ('20250312095419'), + ('20250417190610'); diff --git a/migrations/schema-orioledb-17.sql b/migrations/schema-orioledb-17.sql index 013b23d1f..3f59414aa 100644 --- a/migrations/schema-orioledb-17.sql +++ b/migrations/schema-orioledb-17.sql @@ -484,15 +484,21 @@ COMMENT ON FUNCTION extensions.set_graphql_placeholder() IS 'Reintroduces placeh CREATE FUNCTION pgbouncer.get_auth(p_usename text) RETURNS TABLE(username text, password text) LANGUAGE plpgsql SECURITY DEFINER - AS $$ -BEGIN - RAISE WARNING 'PgBouncer auth request: %', p_usename; - - RETURN QUERY - SELECT usename::TEXT, passwd::TEXT FROM pg_catalog.pg_shadow - WHERE usename = p_usename; -END; -$$; + AS $_$ +begin + raise debug 'PgBouncer auth request: %', p_usename; + + return query + select + rolname::text, + case when rolvaliduntil < now() + then null + else rolpassword::text + end + from pg_authid + where rolname=$1 and rolcanlogin; +end; +$_$; -- @@ -1004,3 +1010,46 @@ CREATE EVENT TRIGGER pgrst_drop_watch ON sql_drop -- Dbmate schema migrations -- +INSERT INTO public.schema_migrations (version) VALUES + ('00000000000000'), + ('00000000000001'), + ('00000000000002'), + ('00000000000003'), + ('10000000000000'), + ('20211115181400'), + ('20211118015519'), + ('20211122051245'), + ('20211124212715'), + ('20211130151719'), + ('20220118070449'), + ('20220126121436'), + ('20220224211803'), + ('20220317095840'), + ('20220321174452'), + ('20220322085208'), + ('20220404205710'), + ('20220609081115'), + ('20220613123923'), + ('20220713082019'), + ('20221028101028'), + ('20221103090837'), + ('20221207154255'), + ('20230201083204'), + ('20230224042246'), + ('20230306081037'), + ('20230327032006'), + ('20230529180330'), + ('20231013070755'), + ('20231017062225'), + ('20231020085357'), + ('20231130133139'), + ('20240124080435'), + ('20240606060239'), + ('20241031003909'), + ('20241215003910'), + ('20250205060043'), + ('20250205144616'), + ('20250218031949'), + ('20250220051611'), + ('20250312095419'), + ('20250417190610'); From 25d23b771eefbe1116a79e070f704413abe0b642 Mon Sep 17 00:00:00 2001 From: Kang Ming Date: Tue, 22 Apr 2025 01:23:06 +0800 Subject: [PATCH 2/7] chore: add tests for pgbouncer --- nix/tests/expected/pgbouncer.out | 35 ++++++++++++++++++++++++++++++++ nix/tests/sql/pgbouncer.sql | 26 ++++++++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 nix/tests/expected/pgbouncer.out create mode 100644 nix/tests/sql/pgbouncer.sql diff --git a/nix/tests/expected/pgbouncer.out b/nix/tests/expected/pgbouncer.out new file mode 100644 index 000000000..52091b8e7 --- /dev/null +++ b/nix/tests/expected/pgbouncer.out @@ -0,0 +1,35 @@ +-- pgbouncer schema owner +select + n.nspname as schema_name, + r.rolname as owner +from + pg_namespace n +join + pg_roles r on n.nspowner = r.oid +where + n.nspname = 'pgbouncer'; + schema_name | owner +-------------+---------------- + pgbouncer | supabase_admin +(1 row) + +-- pgbouncer schema functions with owners +select + n.nspname as schema_name, + p.proname as function_name, + r.rolname as owner +from + pg_proc p +join + pg_namespace n on p.pronamespace = n.oid +join + pg_roles r on p.proowner = r.oid +where + n.nspname = 'pgbouncer' +order by + p.proname; + schema_name | function_name | owner +-------------+---------------+--------------------- + pgbouncer | get_auth | supabase_admin +(1 row) + diff --git a/nix/tests/sql/pgbouncer.sql b/nix/tests/sql/pgbouncer.sql new file mode 100644 index 000000000..bb1a731d6 --- /dev/null +++ b/nix/tests/sql/pgbouncer.sql @@ -0,0 +1,26 @@ +-- pgbouncer schema owner +select + n.nspname as schema_name, + r.rolname as owner +from + pg_namespace n +join + pg_roles r on n.nspowner = r.oid +where + n.nspname = 'pgbouncer'; + +-- pgbouncer schema functions with owners +select + n.nspname as schema_name, + p.proname as function_name, + r.rolname as owner +from + pg_proc p +join + pg_namespace n on p.pronamespace = n.oid +join + pg_roles r on p.proowner = r.oid +where + n.nspname = 'pgbouncer' +order by + p.proname; From e564965633f24fa2068f0d8182bbe1ed3e5791ea Mon Sep 17 00:00:00 2001 From: Kang Ming Date: Tue, 22 Apr 2025 01:41:15 +0800 Subject: [PATCH 3/7] chore: add pgbouncer test for role privileges --- nix/tests/expected/pgbouncer.out | 32 ++++++++++++++++++++++++++++++++ nix/tests/sql/pgbouncer.sql | 28 ++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) diff --git a/nix/tests/expected/pgbouncer.out b/nix/tests/expected/pgbouncer.out index 52091b8e7..3d2e5a459 100644 --- a/nix/tests/expected/pgbouncer.out +++ b/nix/tests/expected/pgbouncer.out @@ -33,3 +33,35 @@ order by pgbouncer | get_auth | supabase_admin (1 row) +-- Tests role privileges on the pgbouncer objects +-- INSERT and UPDATE privileges should not be present on the pgbouncer tables for postgres and service_role, only SELECT and DELETE +WITH schema_obj AS ( + SELECT oid, nspname + FROM pg_namespace + WHERE nspname = 'pgbouncer' +) +SELECT + s.nspname AS schema, + c.relname AS object_name, + acl.grantee::regrole::text AS grantee, + acl.privilege_type +FROM pg_class c +JOIN schema_obj s ON s.oid = c.relnamespace +CROSS JOIN LATERAL aclexplode(c.relacl) AS acl +WHERE c.relkind IN ('r', 'v', 'm', 'f', 'p') + AND acl.privilege_type <> 'MAINTAIN' +UNION ALL +SELECT + s.nspname AS schema, + p.proname AS object_name, + acl.grantee::regrole::text AS grantee, + acl.privilege_type +FROM pg_proc p +JOIN schema_obj s ON s.oid = p.pronamespace +CROSS JOIN LATERAL aclexplode(p.proacl) AS acl +ORDER BY object_name, grantee, privilege_type; + schema | object_name | grantee | privilege_type +-----------+-------------+----------------+---------------- + pgbouncer | get_auth | pgbouncer | EXECUTE + pgbouncer | get_auth | postgres | EXECUTE + pgbouncer | get_auth | supabase_admin | EXECUTE diff --git a/nix/tests/sql/pgbouncer.sql b/nix/tests/sql/pgbouncer.sql index bb1a731d6..070ea1702 100644 --- a/nix/tests/sql/pgbouncer.sql +++ b/nix/tests/sql/pgbouncer.sql @@ -24,3 +24,31 @@ where n.nspname = 'pgbouncer' order by p.proname; + +-- Tests role privileges on the pgbouncer objects +-- INSERT and UPDATE privileges should not be present on the pgbouncer tables for postgres and service_role, only SELECT and DELETE +WITH schema_obj AS ( + SELECT oid, nspname + FROM pg_namespace + WHERE nspname = 'pgbouncer' +) +SELECT + s.nspname AS schema, + c.relname AS object_name, + acl.grantee::regrole::text AS grantee, + acl.privilege_type +FROM pg_class c +JOIN schema_obj s ON s.oid = c.relnamespace +CROSS JOIN LATERAL aclexplode(c.relacl) AS acl +WHERE c.relkind IN ('r', 'v', 'm', 'f', 'p') + AND acl.privilege_type <> 'MAINTAIN' +UNION ALL +SELECT + s.nspname AS schema, + p.proname AS object_name, + acl.grantee::regrole::text AS grantee, + acl.privilege_type +FROM pg_proc p +JOIN schema_obj s ON s.oid = p.pronamespace +CROSS JOIN LATERAL aclexplode(p.proacl) AS acl +ORDER BY object_name, grantee, privilege_type; From 6b7c966ce98ab1dc1c206a3909d101565de1d05e Mon Sep 17 00:00:00 2001 From: Kang Ming Date: Tue, 22 Apr 2025 01:50:48 +0800 Subject: [PATCH 4/7] chore: fix pgbouncer tests --- nix/tests/expected/pgbouncer.out | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/nix/tests/expected/pgbouncer.out b/nix/tests/expected/pgbouncer.out index 3d2e5a459..49d9c500e 100644 --- a/nix/tests/expected/pgbouncer.out +++ b/nix/tests/expected/pgbouncer.out @@ -8,9 +8,9 @@ join pg_roles r on n.nspowner = r.oid where n.nspname = 'pgbouncer'; - schema_name | owner --------------+---------------- - pgbouncer | supabase_admin + schema_name | owner +-------------+----------- + pgbouncer | pgbouncer (1 row) -- pgbouncer schema functions with owners @@ -28,8 +28,8 @@ where n.nspname = 'pgbouncer' order by p.proname; - schema_name | function_name | owner --------------+---------------+--------------------- + schema_name | function_name | owner +-------------+---------------+---------------- pgbouncer | get_auth | supabase_admin (1 row) @@ -60,8 +60,10 @@ FROM pg_proc p JOIN schema_obj s ON s.oid = p.pronamespace CROSS JOIN LATERAL aclexplode(p.proacl) AS acl ORDER BY object_name, grantee, privilege_type; - schema | object_name | grantee | privilege_type + schema | object_name | grantee | privilege_type -----------+-------------+----------------+---------------- pgbouncer | get_auth | pgbouncer | EXECUTE pgbouncer | get_auth | postgres | EXECUTE pgbouncer | get_auth | supabase_admin | EXECUTE +(3 rows) + From 62d92a01981954ba5a82944dfffeff914cd93617 Mon Sep 17 00:00:00 2001 From: Kang Ming Date: Tue, 22 Apr 2025 01:51:08 +0800 Subject: [PATCH 5/7] chore: include test for pgbouncer schema --- migrations/tests/database/exists.sql | 1 + 1 file changed, 1 insertion(+) diff --git a/migrations/tests/database/exists.sql b/migrations/tests/database/exists.sql index 54b2a3861..bc19cd32f 100644 --- a/migrations/tests/database/exists.sql +++ b/migrations/tests/database/exists.sql @@ -1,6 +1,7 @@ SELECT has_schema('public'); SELECT has_schema('auth'); +SELECT has_schema('pgbouncer'); SELECT has_schema('extensions'); SELECT has_schema('graphql'); SELECT has_schema('graphql_public'); From 81a7483661d669afe75982f3d00fa85fa8a8fcab Mon Sep 17 00:00:00 2001 From: Kang Ming Date: Tue, 22 Apr 2025 12:10:48 +0800 Subject: [PATCH 6/7] chore: remove unnecessary comment --- nix/tests/expected/pgbouncer.out | 1 - nix/tests/sql/pgbouncer.sql | 1 - 2 files changed, 2 deletions(-) diff --git a/nix/tests/expected/pgbouncer.out b/nix/tests/expected/pgbouncer.out index 49d9c500e..17f2c6293 100644 --- a/nix/tests/expected/pgbouncer.out +++ b/nix/tests/expected/pgbouncer.out @@ -34,7 +34,6 @@ order by (1 row) -- Tests role privileges on the pgbouncer objects --- INSERT and UPDATE privileges should not be present on the pgbouncer tables for postgres and service_role, only SELECT and DELETE WITH schema_obj AS ( SELECT oid, nspname FROM pg_namespace diff --git a/nix/tests/sql/pgbouncer.sql b/nix/tests/sql/pgbouncer.sql index 070ea1702..4ddac10e2 100644 --- a/nix/tests/sql/pgbouncer.sql +++ b/nix/tests/sql/pgbouncer.sql @@ -26,7 +26,6 @@ order by p.proname; -- Tests role privileges on the pgbouncer objects --- INSERT and UPDATE privileges should not be present on the pgbouncer tables for postgres and service_role, only SELECT and DELETE WITH schema_obj AS ( SELECT oid, nspname FROM pg_namespace From 507f13ab261f08a44d3bccb48dda019075087862 Mon Sep 17 00:00:00 2001 From: samrose Date: Tue, 22 Apr 2025 00:11:24 -0400 Subject: [PATCH 7/7] test: update schema files used for testing (#1559) --- migrations/schema-15.sql | 43 ------------------------------- migrations/schema-17.sql | 43 ------------------------------- migrations/schema-orioledb-17.sql | 43 ------------------------------- 3 files changed, 129 deletions(-) diff --git a/migrations/schema-15.sql b/migrations/schema-15.sql index 9c423c514..8ff507a84 100644 --- a/migrations/schema-15.sql +++ b/migrations/schema-15.sql @@ -1009,46 +1009,3 @@ CREATE EVENT TRIGGER pgrst_drop_watch ON sql_drop -- Dbmate schema migrations -- -INSERT INTO public.schema_migrations (version) VALUES - ('00000000000000'), - ('00000000000001'), - ('00000000000002'), - ('00000000000003'), - ('10000000000000'), - ('20211115181400'), - ('20211118015519'), - ('20211122051245'), - ('20211124212715'), - ('20211130151719'), - ('20220118070449'), - ('20220126121436'), - ('20220224211803'), - ('20220317095840'), - ('20220321174452'), - ('20220322085208'), - ('20220404205710'), - ('20220609081115'), - ('20220613123923'), - ('20220713082019'), - ('20221028101028'), - ('20221103090837'), - ('20221207154255'), - ('20230201083204'), - ('20230224042246'), - ('20230306081037'), - ('20230327032006'), - ('20230529180330'), - ('20231013070755'), - ('20231017062225'), - ('20231020085357'), - ('20231130133139'), - ('20240124080435'), - ('20240606060239'), - ('20241031003909'), - ('20241215003910'), - ('20250205060043'), - ('20250205144616'), - ('20250218031949'), - ('20250220051611'), - ('20250312095419'), - ('20250417190610'); diff --git a/migrations/schema-17.sql b/migrations/schema-17.sql index 436ce7faf..06fe1e7e9 100644 --- a/migrations/schema-17.sql +++ b/migrations/schema-17.sql @@ -996,46 +996,3 @@ CREATE EVENT TRIGGER pgrst_drop_watch ON sql_drop -- Dbmate schema migrations -- -INSERT INTO public.schema_migrations (version) VALUES - ('00000000000000'), - ('00000000000001'), - ('00000000000002'), - ('00000000000003'), - ('10000000000000'), - ('20211115181400'), - ('20211118015519'), - ('20211122051245'), - ('20211124212715'), - ('20211130151719'), - ('20220118070449'), - ('20220126121436'), - ('20220224211803'), - ('20220317095840'), - ('20220321174452'), - ('20220322085208'), - ('20220404205710'), - ('20220609081115'), - ('20220613123923'), - ('20220713082019'), - ('20221028101028'), - ('20221103090837'), - ('20221207154255'), - ('20230201083204'), - ('20230224042246'), - ('20230306081037'), - ('20230327032006'), - ('20230529180330'), - ('20231013070755'), - ('20231017062225'), - ('20231020085357'), - ('20231130133139'), - ('20240124080435'), - ('20240606060239'), - ('20241031003909'), - ('20241215003910'), - ('20250205060043'), - ('20250205144616'), - ('20250218031949'), - ('20250220051611'), - ('20250312095419'), - ('20250417190610'); diff --git a/migrations/schema-orioledb-17.sql b/migrations/schema-orioledb-17.sql index 3f59414aa..1cd6aecaa 100644 --- a/migrations/schema-orioledb-17.sql +++ b/migrations/schema-orioledb-17.sql @@ -1010,46 +1010,3 @@ CREATE EVENT TRIGGER pgrst_drop_watch ON sql_drop -- Dbmate schema migrations -- -INSERT INTO public.schema_migrations (version) VALUES - ('00000000000000'), - ('00000000000001'), - ('00000000000002'), - ('00000000000003'), - ('10000000000000'), - ('20211115181400'), - ('20211118015519'), - ('20211122051245'), - ('20211124212715'), - ('20211130151719'), - ('20220118070449'), - ('20220126121436'), - ('20220224211803'), - ('20220317095840'), - ('20220321174452'), - ('20220322085208'), - ('20220404205710'), - ('20220609081115'), - ('20220613123923'), - ('20220713082019'), - ('20221028101028'), - ('20221103090837'), - ('20221207154255'), - ('20230201083204'), - ('20230224042246'), - ('20230306081037'), - ('20230327032006'), - ('20230529180330'), - ('20231013070755'), - ('20231017062225'), - ('20231020085357'), - ('20231130133139'), - ('20240124080435'), - ('20240606060239'), - ('20241031003909'), - ('20241215003910'), - ('20250205060043'), - ('20250205144616'), - ('20250218031949'), - ('20250220051611'), - ('20250312095419'), - ('20250417190610');