diff --git a/nix/tests/expected/auth.out b/nix/tests/expected/auth.out index 7e35c1b33..d3277513a 100644 --- a/nix/tests/expected/auth.out +++ b/nix/tests/expected/auth.out @@ -40,29 +40,35 @@ where r.rolname = 'supabase_auth_admin'; {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none} (1 row) --- auth schema tables with owners +-- auth schema tables with owners and rls policies select - n.nspname as schema_name, + ns.nspname as schema_name, c.relname as table_name, - r.rolname as owner + r.rolname as owner, + c.relrowsecurity as rls_enabled, + string_agg(p.polname, ', ' order by p.polname) as rls_policies from pg_class c join - pg_namespace n on c.relnamespace = n.oid + pg_namespace ns on c.relnamespace = ns.oid join pg_roles r on c.relowner = r.oid +left join + pg_policy p on p.polrelid = c.oid where - c.relkind in ('r') -- 'r' for regular tables - and n.nspname = 'auth' + ns.nspname = 'auth' + and c.relkind = 'r' +group by + ns.nspname, c.relname, r.rolname, c.relrowsecurity order by c.relname; - schema_name | table_name | owner --------------+-------------------+--------------------- - auth | audit_log_entries | supabase_auth_admin - auth | instances | supabase_auth_admin - auth | refresh_tokens | supabase_auth_admin - auth | schema_migrations | supabase_auth_admin - auth | users | supabase_auth_admin + schema_name | table_name | owner | rls_enabled | rls_policies +-------------+-------------------+---------------------+-------------+-------------- + auth | audit_log_entries | supabase_auth_admin | f | + auth | instances | supabase_auth_admin | f | + auth | refresh_tokens | supabase_auth_admin | f | + auth | schema_migrations | supabase_auth_admin | f | + auth | users | supabase_auth_admin | f | (5 rows) -- auth indexes with owners diff --git a/nix/tests/expected/storage.out b/nix/tests/expected/storage.out new file mode 100644 index 000000000..755e6c516 --- /dev/null +++ b/nix/tests/expected/storage.out @@ -0,0 +1,174 @@ +-- storage schema owner +select + n.nspname as schema_name, + r.rolname as owner +from + pg_namespace n +join + pg_roles r on n.nspowner = r.oid +where + n.nspname = 'storage'; + schema_name | owner +-------------+---------------- + storage | supabase_admin +(1 row) + +-- attributes of the supabase_storage_admin +select + rolcreaterole , + rolcanlogin , + rolsuper , + rolinherit , + rolcreatedb , + rolreplication , + rolconnlimit , + rolbypassrls , + rolvaliduntil +from pg_roles r +where r.rolname = 'supabase_storage_admin'; + rolcreaterole | rolcanlogin | rolsuper | rolinherit | rolcreatedb | rolreplication | rolconnlimit | rolbypassrls | rolvaliduntil +---------------+-------------+----------+------------+-------------+----------------+--------------+--------------+--------------- + t | t | f | f | f | f | -1 | f | +(1 row) + +select + rolconfig +from pg_roles r +where r.rolname = 'supabase_storage_admin'; + rolconfig +------------------------------------------ + {search_path=storage,log_statement=none} +(1 row) + +-- storage schema tables with owners and rls policies +select + ns.nspname as schema_name, + c.relname as table_name, + r.rolname as owner, + c.relrowsecurity as rls_enabled, + string_agg(p.polname, ', ' order by p.polname) as rls_policies +from + pg_class c +join + pg_namespace ns on c.relnamespace = ns.oid +join + pg_roles r on c.relowner = r.oid +left join + pg_policy p on p.polrelid = c.oid +where + ns.nspname = 'storage' + and c.relkind = 'r' +group by + ns.nspname, c.relname, r.rolname, c.relrowsecurity +order by + c.relname; + schema_name | table_name | owner | rls_enabled | rls_policies +-------------+------------+------------------------+-------------+-------------- + storage | buckets | supabase_storage_admin | f | + storage | migrations | supabase_storage_admin | f | + storage | objects | supabase_storage_admin | t | +(3 rows) + +-- storage indexes with owners +select + ns.nspname as table_schema, + t.relname as table_name, + i.relname as index_name, + r.rolname as index_owner +from + pg_class t +join + pg_namespace ns on t.relnamespace = ns.oid +join + pg_index idx on t.oid = idx.indrelid +join + pg_class i on idx.indexrelid = i.oid +join + pg_roles r on i.relowner = r.oid +where + ns.nspname = 'storage' +order by + t.relname, i.relname; + table_schema | table_name | index_name | index_owner +--------------+------------+---------------------+------------------------ + storage | buckets | bname | supabase_storage_admin + storage | buckets | buckets_pkey | supabase_storage_admin + storage | migrations | migrations_name_key | supabase_storage_admin + storage | migrations | migrations_pkey | supabase_storage_admin + storage | objects | bucketid_objname | supabase_storage_admin + storage | objects | name_prefix_search | supabase_storage_admin + storage | objects | objects_pkey | supabase_storage_admin +(7 rows) + +-- storage schema functions with owners +select + n.nspname as schema_name, + p.proname as function_name, + r.rolname as owner +from + pg_proc p +join + pg_namespace n on p.pronamespace = n.oid +join + pg_roles r on p.proowner = r.oid +where + n.nspname = 'storage' +order by + p.proname; + schema_name | function_name | owner +-------------+---------------+------------------------ + storage | extension | supabase_storage_admin + storage | filename | supabase_storage_admin + storage | foldername | supabase_storage_admin + storage | search | supabase_storage_admin +(4 rows) + +-- roles which have USAGE on the storage schema +select + n.nspname as schema_name, + r.rolname as role_name, + a.privilege_type +from + pg_namespace n +cross join lateral aclexplode(n.nspacl) as a +join + pg_roles r on a.grantee = r.oid +where + n.nspname = 'storage' + and a.privilege_type = 'USAGE' +order by + r.rolname; + schema_name | role_name | privilege_type +-------------+------------------------+---------------- + storage | anon | USAGE + storage | authenticated | USAGE + storage | dashboard_user | USAGE + storage | postgres | USAGE + storage | service_role | USAGE + storage | supabase_admin | USAGE + storage | supabase_storage_admin | USAGE +(7 rows) + +-- roles which have CREATE on the storage schema +select + n.nspname as schema_name, + r.rolname as role_name, + a.privilege_type +from + pg_namespace n +cross join lateral aclexplode(n.nspacl) as a +join + pg_roles r on a.grantee = r.oid +where + n.nspname = 'storage' + and a.privilege_type = 'CREATE' +order by + r.rolname; + schema_name | role_name | privilege_type +-------------+------------------------+---------------- + storage | dashboard_user | CREATE + storage | postgres | CREATE + storage | supabase_admin | CREATE + storage | supabase_storage_admin | CREATE +(4 rows) + diff --git a/nix/tests/sql/auth.sql b/nix/tests/sql/auth.sql index 26916c0b4..47e2931ae 100644 --- a/nix/tests/sql/auth.sql +++ b/nix/tests/sql/auth.sql @@ -28,20 +28,26 @@ select from pg_roles r where r.rolname = 'supabase_auth_admin'; --- auth schema tables with owners +-- auth schema tables with owners and rls policies select - n.nspname as schema_name, + ns.nspname as schema_name, c.relname as table_name, - r.rolname as owner + r.rolname as owner, + c.relrowsecurity as rls_enabled, + string_agg(p.polname, ', ' order by p.polname) as rls_policies from pg_class c join - pg_namespace n on c.relnamespace = n.oid + pg_namespace ns on c.relnamespace = ns.oid join pg_roles r on c.relowner = r.oid +left join + pg_policy p on p.polrelid = c.oid where - c.relkind in ('r') -- 'r' for regular tables - and n.nspname = 'auth' + ns.nspname = 'auth' + and c.relkind = 'r' +group by + ns.nspname, c.relname, r.rolname, c.relrowsecurity order by c.relname; diff --git a/nix/tests/sql/storage.sql b/nix/tests/sql/storage.sql new file mode 100644 index 000000000..5dfd5f0bb --- /dev/null +++ b/nix/tests/sql/storage.sql @@ -0,0 +1,121 @@ +-- storage schema owner +select + n.nspname as schema_name, + r.rolname as owner +from + pg_namespace n +join + pg_roles r on n.nspowner = r.oid +where + n.nspname = 'storage'; + +-- attributes of the supabase_storage_admin +select + rolcreaterole , + rolcanlogin , + rolsuper , + rolinherit , + rolcreatedb , + rolreplication , + rolconnlimit , + rolbypassrls , + rolvaliduntil +from pg_roles r +where r.rolname = 'supabase_storage_admin'; + +select + rolconfig +from pg_roles r +where r.rolname = 'supabase_storage_admin'; + +-- storage schema tables with owners and rls policies +select + ns.nspname as schema_name, + c.relname as table_name, + r.rolname as owner, + c.relrowsecurity as rls_enabled, + string_agg(p.polname, ', ' order by p.polname) as rls_policies +from + pg_class c +join + pg_namespace ns on c.relnamespace = ns.oid +join + pg_roles r on c.relowner = r.oid +left join + pg_policy p on p.polrelid = c.oid +where + ns.nspname = 'storage' + and c.relkind = 'r' +group by + ns.nspname, c.relname, r.rolname, c.relrowsecurity +order by + c.relname; + +-- storage indexes with owners +select + ns.nspname as table_schema, + t.relname as table_name, + i.relname as index_name, + r.rolname as index_owner +from + pg_class t +join + pg_namespace ns on t.relnamespace = ns.oid +join + pg_index idx on t.oid = idx.indrelid +join + pg_class i on idx.indexrelid = i.oid +join + pg_roles r on i.relowner = r.oid +where + ns.nspname = 'storage' +order by + t.relname, i.relname; + +-- storage schema functions with owners +select + n.nspname as schema_name, + p.proname as function_name, + r.rolname as owner +from + pg_proc p +join + pg_namespace n on p.pronamespace = n.oid +join + pg_roles r on p.proowner = r.oid +where + n.nspname = 'storage' +order by + p.proname; + +-- roles which have USAGE on the storage schema +select + n.nspname as schema_name, + r.rolname as role_name, + a.privilege_type +from + pg_namespace n +cross join lateral aclexplode(n.nspacl) as a +join + pg_roles r on a.grantee = r.oid +where + n.nspname = 'storage' + and a.privilege_type = 'USAGE' +order by + r.rolname; + +-- roles which have CREATE on the storage schema +select + n.nspname as schema_name, + r.rolname as role_name, + a.privilege_type +from + pg_namespace n +cross join lateral aclexplode(n.nspacl) as a +join + pg_roles r on a.grantee = r.oid +where + n.nspname = 'storage' + and a.privilege_type = 'CREATE' +order by + r.rolname;