Skip to content

fix: update pgbouncer.get_auth (INFRA-1530) #1554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Apr 22, 2025
Merged

fix: update pgbouncer.get_auth (INFRA-1530) #1554

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a4be80b
fix: update pgbouncer.get_auth
kangmingtay Apr 17, 2025
25d23b7
chore: add tests for pgbouncer
kangmingtay Apr 21, 2025
e564965
chore: add pgbouncer test for role privileges
kangmingtay Apr 21, 2025
6b7c966
chore: fix pgbouncer tests
kangmingtay Apr 21, 2025
62d92a0
chore: include test for pgbouncer schema
kangmingtay Apr 21, 2025
81a7483
chore: remove unnecessary comment
kangmingtay Apr 22, 2025
507f13a
test: update schema files used for testing (#1559)
samrose Apr 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions migrations/db/migrations/20250417190610_update_pgbouncer_get_auth.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
-- migrate:up

create or replace function pgbouncer.get_auth(p_usename text) returns table (username text, password text)
language plpgsql security definer
as $$
begin
raise debug 'PgBouncer auth request: %', p_usename;

return query
select
rolname::text,
case when rolvaliduntil < now()
then null
else rolpassword::text
end
from pg_authid
where rolname=$1 and rolcanlogin;
end;
$$;

-- from migrations/db/migrations/20250312095419_pgbouncer_ownership.sql
grant execute on function pgbouncer.get_auth(p_usename text) to postgres;

-- migrate:down
24 changes: 15 additions & 9 deletions migrations/schema-15.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -483,15 +483,21 @@ COMMENT ON FUNCTION extensions.set_graphql_placeholder() IS 'Reintroduces placeh

CREATE FUNCTION pgbouncer.get_auth(p_usename text) RETURNS TABLE(username text, password text)
LANGUAGE plpgsql SECURITY DEFINER
AS $$
BEGIN
RAISE WARNING 'PgBouncer auth request: %', p_usename;

RETURN QUERY
SELECT usename::TEXT, passwd::TEXT FROM pg_catalog.pg_shadow
WHERE usename = p_usename;
END;
$$;
AS $_$
begin
raise debug 'PgBouncer auth request: %', p_usename;

return query
select
rolname::text,
case when rolvaliduntil < now()
then null
else rolpassword::text
end
from pg_authid
where rolname=$1 and rolcanlogin;
end;
$_$;


--
Expand Down
24 changes: 15 additions & 9 deletions migrations/schema-17.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -470,15 +470,21 @@ COMMENT ON FUNCTION extensions.set_graphql_placeholder() IS 'Reintroduces placeh

CREATE FUNCTION pgbouncer.get_auth(p_usename text) RETURNS TABLE(username text, password text)
LANGUAGE plpgsql SECURITY DEFINER
AS $$
BEGIN
RAISE WARNING 'PgBouncer auth request: %', p_usename;

RETURN QUERY
SELECT usename::TEXT, passwd::TEXT FROM pg_catalog.pg_shadow
WHERE usename = p_usename;
END;
$$;
AS $_$
begin
raise debug 'PgBouncer auth request: %', p_usename;

return query
select
rolname::text,
case when rolvaliduntil < now()
then null
else rolpassword::text
end
from pg_authid
where rolname=$1 and rolcanlogin;
end;
$_$;


--
Expand Down
24 changes: 15 additions & 9 deletions migrations/schema-orioledb-17.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -484,15 +484,21 @@ COMMENT ON FUNCTION extensions.set_graphql_placeholder() IS 'Reintroduces placeh

CREATE FUNCTION pgbouncer.get_auth(p_usename text) RETURNS TABLE(username text, password text)
LANGUAGE plpgsql SECURITY DEFINER
AS $$
BEGIN
RAISE WARNING 'PgBouncer auth request: %', p_usename;

RETURN QUERY
SELECT usename::TEXT, passwd::TEXT FROM pg_catalog.pg_shadow
WHERE usename = p_usename;
END;
$$;
AS $_$
begin
raise debug 'PgBouncer auth request: %', p_usename;

return query
select
rolname::text,
case when rolvaliduntil < now()
then null
else rolpassword::text
end
from pg_authid
where rolname=$1 and rolcanlogin;
end;
$_$;


--
Expand Down
1 change: 1 addition & 0 deletions migrations/tests/database/exists.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@

SELECT has_schema('public');
SELECT has_schema('auth');
SELECT has_schema('pgbouncer');
SELECT has_schema('extensions');
SELECT has_schema('graphql');
SELECT has_schema('graphql_public');
Expand Down
68 changes: 68 additions & 0 deletions nix/tests/expected/pgbouncer.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
-- pgbouncer schema owner
select
n.nspname as schema_name,
r.rolname as owner
from
pg_namespace n
join
pg_roles r on n.nspowner = r.oid
where
n.nspname = 'pgbouncer';
schema_name | owner
-------------+-----------
pgbouncer | pgbouncer
(1 row)

-- pgbouncer schema functions with owners
select
n.nspname as schema_name,
p.proname as function_name,
r.rolname as owner
from
pg_proc p
join
pg_namespace n on p.pronamespace = n.oid
join
pg_roles r on p.proowner = r.oid
where
n.nspname = 'pgbouncer'
order by
p.proname;
schema_name | function_name | owner
-------------+---------------+----------------
pgbouncer | get_auth | supabase_admin
(1 row)

-- Tests role privileges on the pgbouncer objects
WITH schema_obj AS (
SELECT oid, nspname
FROM pg_namespace
WHERE nspname = 'pgbouncer'
)
SELECT
s.nspname AS schema,
c.relname AS object_name,
acl.grantee::regrole::text AS grantee,
acl.privilege_type
FROM pg_class c
JOIN schema_obj s ON s.oid = c.relnamespace
CROSS JOIN LATERAL aclexplode(c.relacl) AS acl
WHERE c.relkind IN ('r', 'v', 'm', 'f', 'p')
AND acl.privilege_type <> 'MAINTAIN'
UNION ALL
SELECT
s.nspname AS schema,
p.proname AS object_name,
acl.grantee::regrole::text AS grantee,
acl.privilege_type
FROM pg_proc p
JOIN schema_obj s ON s.oid = p.pronamespace
CROSS JOIN LATERAL aclexplode(p.proacl) AS acl
ORDER BY object_name, grantee, privilege_type;
schema | object_name | grantee | privilege_type
-----------+-------------+----------------+----------------
pgbouncer | get_auth | pgbouncer | EXECUTE
pgbouncer | get_auth | postgres | EXECUTE
pgbouncer | get_auth | supabase_admin | EXECUTE
(3 rows)

53 changes: 53 additions & 0 deletions nix/tests/sql/pgbouncer.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
-- pgbouncer schema owner
select
n.nspname as schema_name,
r.rolname as owner
from
pg_namespace n
join
pg_roles r on n.nspowner = r.oid
where
n.nspname = 'pgbouncer';

-- pgbouncer schema functions with owners
select
n.nspname as schema_name,
p.proname as function_name,
r.rolname as owner
from
pg_proc p
join
pg_namespace n on p.pronamespace = n.oid
join
pg_roles r on p.proowner = r.oid
where
n.nspname = 'pgbouncer'
order by
p.proname;

-- Tests role privileges on the pgbouncer objects
WITH schema_obj AS (
SELECT oid, nspname
FROM pg_namespace
WHERE nspname = 'pgbouncer'
)
SELECT
s.nspname AS schema,
c.relname AS object_name,
acl.grantee::regrole::text AS grantee,
acl.privilege_type
FROM pg_class c
JOIN schema_obj s ON s.oid = c.relnamespace
CROSS JOIN LATERAL aclexplode(c.relacl) AS acl
WHERE c.relkind IN ('r', 'v', 'm', 'f', 'p')
AND acl.privilege_type <> 'MAINTAIN'
UNION ALL
SELECT
s.nspname AS schema,
p.proname AS object_name,
acl.grantee::regrole::text AS grantee,
acl.privilege_type
FROM pg_proc p
JOIN schema_obj s ON s.oid = p.pronamespace
CROSS JOIN LATERAL aclexplode(p.proacl) AS acl
ORDER BY object_name, grantee, privilege_type;