search

supabase / supautils

PostgreSQL extension that secures a cluster on a cloud environment
https://supabase.github.io/supautils
Apache License 2.0
59 stars 13 forks source link

feat: PostgreSQL 16 compatibility #61

Closed steve-chavez closed 2 months ago

steve-chavez commented 1 year ago

@soedirgo The BYPASSRLS thing (introduced on https://github.com/supabase/supautils/pull/33) fails for pg16:

--- /home/runner/work/supautils/supautils/test/expected/privileged_role.out 2023-09-20 22:27:13.691417307 +0000
+++ /home/runner/work/supautils/supautils/results/privileged_role.out   2023-09-20 22:2[8](https://github.com/supabase/supautils/actions/runs/6254725504/job/16982849566?pr=61#step:5:9):08.143145326 +0000
@@ -86,[9](https://github.com/supabase/supautils/actions/runs/6254725504/job/16982849566?pr=61#step:5:10) +86,11 @@
 $$ language plpgsql;
 create role r;
 alter role r nobypassrls;
-ERROR:  must be superuser to change bypassrls attribute
+ERROR:  permission denied to alter role
+DETAIL:  Only roles with the BYPASSRLS attribute may change the BYPASSRLS attribute.
 alter role r bypassrls;
-ERROR:  must be superuser to change bypassrls attribute
+ERROR:  permission denied to alter role
+DETAIL:  Only roles with the BYPASSRLS attribute may change the BYPASSRLS attribute.
 drop role r;
 set role privileged_role;
 \echo
@@ -128,[11](https://github.com/supabase/supautils/actions/runs/6254725504/job/16982849566?pr=61#step:5:12) +[13](https://github.com/supabase/supautils/actions/runs/6254725504/job/16982849566?pr=61#step:5:14)0,17 @@
 -- privileged_role can modify reserved roles GUCs
 set role privileged_role;
 alter role authenticator set search_path to public;
+ERROR:  permission denied to alter role
+DETAIL:  Only roles with the CREATEROLE attribute and the ADMIN option on role "authenticator" may alter this role.
 alter role authenticator set statement_timeout = '[15](https://github.com/supabase/supautils/actions/runs/6254725504/job/16982849566?pr=61#step:5:16)s';
+ERROR:  permission denied to alter role
+DETAIL:  Only roles with the CREATEROLE attribute and the ADMIN option on role "authenticator" may alter this role.
 \echo

 -- privileged_role can do GRANT <role> to <reserved_role>
 grant testme to authenticator;
+ERROR:  permission denied to grant role "testme"
+DETAIL:  Only roles with the ADMIN option on role "testme" may grant this role.
 \echo

 -- privileged_role can set wildcard privileged_role_allowed_configs
@@ -154,7 +[16](https://github.com/supabase/supautils/actions/runs/6254725504/job/16982849566?pr=61#step:5:17)2,8 @@
 -- member of privileged_role can do privileged role stuff
 set role privileged_role_member;
 grant testme to authenticator;
-NOTICE:  role "authenticator" is already a member of role "testme"
+ERROR:  permission denied to grant role "testme"
+DETAIL:  Only roles with the ADMIN option on role "testme" may grant this role.
 set role privileged_role;
 \echo
steve-chavez commented 2 months ago

Closing in favor of https://github.com/supabase/supautils/pull/86