Skip to content

Commit 4a08f05

Browse files
steve-chavezsteve-chavez
committed
test: role privileges on auth/storage db objects
1 parent 5e19b6c commit 4a08f05

File tree

4 files changed

+312
-0
lines changed

4 files changed

+312
-0
lines changed

nix/tests/expected/auth.out

+132
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,138 @@ order by
4444
auth | users | supabase_auth_admin | f |
4545
(5 rows)
4646

47+
-- auth schema objects with roles privileges
48+
select
49+
ns.nspname as schema_name,
50+
c.relname as table_name,
51+
r.rolname as role_name,
52+
a.privilege_type,
53+
a.is_grantable
54+
from
55+
pg_class c
56+
join
57+
pg_namespace ns on c.relnamespace = ns.oid
58+
cross join lateral
59+
aclexplode(c.relacl) as a
60+
join
61+
pg_roles r on a.grantee = r.oid
62+
where
63+
ns.nspname = 'auth'
64+
and c.relkind in ('r', 'v', 'm')
65+
and a.privilege_type <> 'MAINTAIN'
66+
order by
67+
c.relname,
68+
r.rolname,
69+
a.privilege_type;
70+
schema_name | table_name | role_name | privilege_type | is_grantable
71+
-------------+-------------------+---------------------+----------------+--------------
72+
auth | audit_log_entries | dashboard_user | DELETE | f
73+
auth | audit_log_entries | dashboard_user | INSERT | f
74+
auth | audit_log_entries | dashboard_user | REFERENCES | f
75+
auth | audit_log_entries | dashboard_user | SELECT | f
76+
auth | audit_log_entries | dashboard_user | TRIGGER | f
77+
auth | audit_log_entries | dashboard_user | TRUNCATE | f
78+
auth | audit_log_entries | dashboard_user | UPDATE | f
79+
auth | audit_log_entries | postgres | DELETE | f
80+
auth | audit_log_entries | postgres | INSERT | f
81+
auth | audit_log_entries | postgres | REFERENCES | f
82+
auth | audit_log_entries | postgres | SELECT | f
83+
auth | audit_log_entries | postgres | TRIGGER | f
84+
auth | audit_log_entries | postgres | TRUNCATE | f
85+
auth | audit_log_entries | postgres | UPDATE | f
86+
auth | audit_log_entries | supabase_auth_admin | DELETE | f
87+
auth | audit_log_entries | supabase_auth_admin | INSERT | f
88+
auth | audit_log_entries | supabase_auth_admin | REFERENCES | f
89+
auth | audit_log_entries | supabase_auth_admin | SELECT | f
90+
auth | audit_log_entries | supabase_auth_admin | TRIGGER | f
91+
auth | audit_log_entries | supabase_auth_admin | TRUNCATE | f
92+
auth | audit_log_entries | supabase_auth_admin | UPDATE | f
93+
auth | instances | dashboard_user | DELETE | f
94+
auth | instances | dashboard_user | INSERT | f
95+
auth | instances | dashboard_user | REFERENCES | f
96+
auth | instances | dashboard_user | SELECT | f
97+
auth | instances | dashboard_user | TRIGGER | f
98+
auth | instances | dashboard_user | TRUNCATE | f
99+
auth | instances | dashboard_user | UPDATE | f
100+
auth | instances | postgres | DELETE | f
101+
auth | instances | postgres | INSERT | f
102+
auth | instances | postgres | REFERENCES | f
103+
auth | instances | postgres | SELECT | f
104+
auth | instances | postgres | TRIGGER | f
105+
auth | instances | postgres | TRUNCATE | f
106+
auth | instances | postgres | UPDATE | f
107+
auth | instances | supabase_auth_admin | DELETE | f
108+
auth | instances | supabase_auth_admin | INSERT | f
109+
auth | instances | supabase_auth_admin | REFERENCES | f
110+
auth | instances | supabase_auth_admin | SELECT | f
111+
auth | instances | supabase_auth_admin | TRIGGER | f
112+
auth | instances | supabase_auth_admin | TRUNCATE | f
113+
auth | instances | supabase_auth_admin | UPDATE | f
114+
auth | refresh_tokens | dashboard_user | DELETE | f
115+
auth | refresh_tokens | dashboard_user | INSERT | f
116+
auth | refresh_tokens | dashboard_user | REFERENCES | f
117+
auth | refresh_tokens | dashboard_user | SELECT | f
118+
auth | refresh_tokens | dashboard_user | TRIGGER | f
119+
auth | refresh_tokens | dashboard_user | TRUNCATE | f
120+
auth | refresh_tokens | dashboard_user | UPDATE | f
121+
auth | refresh_tokens | postgres | DELETE | f
122+
auth | refresh_tokens | postgres | INSERT | f
123+
auth | refresh_tokens | postgres | REFERENCES | f
124+
auth | refresh_tokens | postgres | SELECT | f
125+
auth | refresh_tokens | postgres | TRIGGER | f
126+
auth | refresh_tokens | postgres | TRUNCATE | f
127+
auth | refresh_tokens | postgres | UPDATE | f
128+
auth | refresh_tokens | supabase_auth_admin | DELETE | f
129+
auth | refresh_tokens | supabase_auth_admin | INSERT | f
130+
auth | refresh_tokens | supabase_auth_admin | REFERENCES | f
131+
auth | refresh_tokens | supabase_auth_admin | SELECT | f
132+
auth | refresh_tokens | supabase_auth_admin | TRIGGER | f
133+
auth | refresh_tokens | supabase_auth_admin | TRUNCATE | f
134+
auth | refresh_tokens | supabase_auth_admin | UPDATE | f
135+
auth | schema_migrations | dashboard_user | DELETE | f
136+
auth | schema_migrations | dashboard_user | INSERT | f
137+
auth | schema_migrations | dashboard_user | REFERENCES | f
138+
auth | schema_migrations | dashboard_user | SELECT | f
139+
auth | schema_migrations | dashboard_user | TRIGGER | f
140+
auth | schema_migrations | dashboard_user | TRUNCATE | f
141+
auth | schema_migrations | dashboard_user | UPDATE | f
142+
auth | schema_migrations | postgres | DELETE | f
143+
auth | schema_migrations | postgres | INSERT | f
144+
auth | schema_migrations | postgres | REFERENCES | f
145+
auth | schema_migrations | postgres | SELECT | f
146+
auth | schema_migrations | postgres | TRIGGER | f
147+
auth | schema_migrations | postgres | TRUNCATE | f
148+
auth | schema_migrations | postgres | UPDATE | f
149+
auth | schema_migrations | supabase_auth_admin | DELETE | f
150+
auth | schema_migrations | supabase_auth_admin | INSERT | f
151+
auth | schema_migrations | supabase_auth_admin | REFERENCES | f
152+
auth | schema_migrations | supabase_auth_admin | SELECT | f
153+
auth | schema_migrations | supabase_auth_admin | TRIGGER | f
154+
auth | schema_migrations | supabase_auth_admin | TRUNCATE | f
155+
auth | schema_migrations | supabase_auth_admin | UPDATE | f
156+
auth | users | dashboard_user | DELETE | f
157+
auth | users | dashboard_user | INSERT | f
158+
auth | users | dashboard_user | REFERENCES | f
159+
auth | users | dashboard_user | SELECT | f
160+
auth | users | dashboard_user | TRIGGER | f
161+
auth | users | dashboard_user | TRUNCATE | f
162+
auth | users | dashboard_user | UPDATE | f
163+
auth | users | postgres | DELETE | f
164+
auth | users | postgres | INSERT | f
165+
auth | users | postgres | REFERENCES | f
166+
auth | users | postgres | SELECT | f
167+
auth | users | postgres | TRIGGER | f
168+
auth | users | postgres | TRUNCATE | f
169+
auth | users | postgres | UPDATE | f
170+
auth | users | supabase_auth_admin | DELETE | f
171+
auth | users | supabase_auth_admin | INSERT | f
172+
auth | users | supabase_auth_admin | REFERENCES | f
173+
auth | users | supabase_auth_admin | SELECT | f
174+
auth | users | supabase_auth_admin | TRIGGER | f
175+
auth | users | supabase_auth_admin | TRUNCATE | f
176+
auth | users | supabase_auth_admin | UPDATE | f
177+
(105 rows)
178+
47179
-- auth indexes with owners
48180
select
49181
ns.nspname as table_schema,

nix/tests/expected/storage.out

+132
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,138 @@ order by
4242
storage | objects | supabase_storage_admin | t |
4343
(3 rows)
4444

45+
-- storage schema objects with roles privileges
46+
select
47+
ns.nspname as schema_name,
48+
c.relname as table_name,
49+
r.rolname as role_name,
50+
a.privilege_type,
51+
a.is_grantable
52+
from
53+
pg_class c
54+
join
55+
pg_namespace ns on c.relnamespace = ns.oid
56+
cross join lateral
57+
aclexplode(c.relacl) as a
58+
join
59+
pg_roles r on a.grantee = r.oid
60+
where
61+
ns.nspname = 'storage'
62+
and c.relkind in ('r', 'v', 'm')
63+
and a.privilege_type <> 'MAINTAIN'
64+
order by
65+
c.relname,
66+
r.rolname,
67+
a.privilege_type;
68+
schema_name | table_name | role_name | privilege_type | is_grantable
69+
-------------+------------+------------------------+----------------+--------------
70+
storage | buckets | anon | DELETE | f
71+
storage | buckets | anon | INSERT | f
72+
storage | buckets | anon | REFERENCES | f
73+
storage | buckets | anon | SELECT | f
74+
storage | buckets | anon | TRIGGER | f
75+
storage | buckets | anon | TRUNCATE | f
76+
storage | buckets | anon | UPDATE | f
77+
storage | buckets | authenticated | DELETE | f
78+
storage | buckets | authenticated | INSERT | f
79+
storage | buckets | authenticated | REFERENCES | f
80+
storage | buckets | authenticated | SELECT | f
81+
storage | buckets | authenticated | TRIGGER | f
82+
storage | buckets | authenticated | TRUNCATE | f
83+
storage | buckets | authenticated | UPDATE | f
84+
storage | buckets | postgres | DELETE | f
85+
storage | buckets | postgres | INSERT | f
86+
storage | buckets | postgres | REFERENCES | f
87+
storage | buckets | postgres | SELECT | f
88+
storage | buckets | postgres | TRIGGER | f
89+
storage | buckets | postgres | TRUNCATE | f
90+
storage | buckets | postgres | UPDATE | f
91+
storage | buckets | service_role | DELETE | f
92+
storage | buckets | service_role | INSERT | f
93+
storage | buckets | service_role | REFERENCES | f
94+
storage | buckets | service_role | SELECT | f
95+
storage | buckets | service_role | TRIGGER | f
96+
storage | buckets | service_role | TRUNCATE | f
97+
storage | buckets | service_role | UPDATE | f
98+
storage | buckets | supabase_storage_admin | DELETE | f
99+
storage | buckets | supabase_storage_admin | INSERT | f
100+
storage | buckets | supabase_storage_admin | REFERENCES | f
101+
storage | buckets | supabase_storage_admin | SELECT | f
102+
storage | buckets | supabase_storage_admin | TRIGGER | f
103+
storage | buckets | supabase_storage_admin | TRUNCATE | f
104+
storage | buckets | supabase_storage_admin | UPDATE | f
105+
storage | migrations | anon | DELETE | f
106+
storage | migrations | anon | INSERT | f
107+
storage | migrations | anon | REFERENCES | f
108+
storage | migrations | anon | SELECT | f
109+
storage | migrations | anon | TRIGGER | f
110+
storage | migrations | anon | TRUNCATE | f
111+
storage | migrations | anon | UPDATE | f
112+
storage | migrations | authenticated | DELETE | f
113+
storage | migrations | authenticated | INSERT | f
114+
storage | migrations | authenticated | REFERENCES | f
115+
storage | migrations | authenticated | SELECT | f
116+
storage | migrations | authenticated | TRIGGER | f
117+
storage | migrations | authenticated | TRUNCATE | f
118+
storage | migrations | authenticated | UPDATE | f
119+
storage | migrations | postgres | DELETE | f
120+
storage | migrations | postgres | INSERT | f
121+
storage | migrations | postgres | REFERENCES | f
122+
storage | migrations | postgres | SELECT | f
123+
storage | migrations | postgres | TRIGGER | f
124+
storage | migrations | postgres | TRUNCATE | f
125+
storage | migrations | postgres | UPDATE | f
126+
storage | migrations | service_role | DELETE | f
127+
storage | migrations | service_role | INSERT | f
128+
storage | migrations | service_role | REFERENCES | f
129+
storage | migrations | service_role | SELECT | f
130+
storage | migrations | service_role | TRIGGER | f
131+
storage | migrations | service_role | TRUNCATE | f
132+
storage | migrations | service_role | UPDATE | f
133+
storage | migrations | supabase_storage_admin | DELETE | f
134+
storage | migrations | supabase_storage_admin | INSERT | f
135+
storage | migrations | supabase_storage_admin | REFERENCES | f
136+
storage | migrations | supabase_storage_admin | SELECT | f
137+
storage | migrations | supabase_storage_admin | TRIGGER | f
138+
storage | migrations | supabase_storage_admin | TRUNCATE | f
139+
storage | migrations | supabase_storage_admin | UPDATE | f
140+
storage | objects | anon | DELETE | f
141+
storage | objects | anon | INSERT | f
142+
storage | objects | anon | REFERENCES | f
143+
storage | objects | anon | SELECT | f
144+
storage | objects | anon | TRIGGER | f
145+
storage | objects | anon | TRUNCATE | f
146+
storage | objects | anon | UPDATE | f
147+
storage | objects | authenticated | DELETE | f
148+
storage | objects | authenticated | INSERT | f
149+
storage | objects | authenticated | REFERENCES | f
150+
storage | objects | authenticated | SELECT | f
151+
storage | objects | authenticated | TRIGGER | f
152+
storage | objects | authenticated | TRUNCATE | f
153+
storage | objects | authenticated | UPDATE | f
154+
storage | objects | postgres | DELETE | f
155+
storage | objects | postgres | INSERT | f
156+
storage | objects | postgres | REFERENCES | f
157+
storage | objects | postgres | SELECT | f
158+
storage | objects | postgres | TRIGGER | f
159+
storage | objects | postgres | TRUNCATE | f
160+
storage | objects | postgres | UPDATE | f
161+
storage | objects | service_role | DELETE | f
162+
storage | objects | service_role | INSERT | f
163+
storage | objects | service_role | REFERENCES | f
164+
storage | objects | service_role | SELECT | f
165+
storage | objects | service_role | TRIGGER | f
166+
storage | objects | service_role | TRUNCATE | f
167+
storage | objects | service_role | UPDATE | f
168+
storage | objects | supabase_storage_admin | DELETE | f
169+
storage | objects | supabase_storage_admin | INSERT | f
170+
storage | objects | supabase_storage_admin | REFERENCES | f
171+
storage | objects | supabase_storage_admin | SELECT | f
172+
storage | objects | supabase_storage_admin | TRIGGER | f
173+
storage | objects | supabase_storage_admin | TRUNCATE | f
174+
storage | objects | supabase_storage_admin | UPDATE | f
175+
(105 rows)
176+
45177
-- storage indexes with owners
46178
select
47179
ns.nspname as table_schema,

nix/tests/sql/auth.sql

+24
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,30 @@ group by
3232
order by
3333
c.relname;
3434

35+
-- auth schema objects with roles privileges
36+
select
37+
ns.nspname as schema_name,
38+
c.relname as table_name,
39+
r.rolname as role_name,
40+
a.privilege_type,
41+
a.is_grantable
42+
from
43+
pg_class c
44+
join
45+
pg_namespace ns on c.relnamespace = ns.oid
46+
cross join lateral
47+
aclexplode(c.relacl) as a
48+
join
49+
pg_roles r on a.grantee = r.oid
50+
where
51+
ns.nspname = 'auth'
52+
and c.relkind in ('r', 'v', 'm')
53+
and a.privilege_type <> 'MAINTAIN'
54+
order by
55+
c.relname,
56+
r.rolname,
57+
a.privilege_type;
58+
3559
-- auth indexes with owners
3660
select
3761
ns.nspname as table_schema,

nix/tests/sql/storage.sql

+24
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,30 @@ group by
3232
order by
3333
c.relname;
3434

35+
-- storage schema objects with roles privileges
36+
select
37+
ns.nspname as schema_name,
38+
c.relname as table_name,
39+
r.rolname as role_name,
40+
a.privilege_type,
41+
a.is_grantable
42+
from
43+
pg_class c
44+
join
45+
pg_namespace ns on c.relnamespace = ns.oid
46+
cross join lateral
47+
aclexplode(c.relacl) as a
48+
join
49+
pg_roles r on a.grantee = r.oid
50+
where
51+
ns.nspname = 'storage'
52+
and c.relkind in ('r', 'v', 'm')
53+
and a.privilege_type <> 'MAINTAIN'
54+
order by
55+
c.relname,
56+
r.rolname,
57+
a.privilege_type;
58+
3559
-- storage indexes with owners
3660
select
3761
ns.nspname as table_schema,

0 commit comments

Comments
 (0)