diff --git a/ansible/files/postgresql_config/supautils.conf.j2 b/ansible/files/postgresql_config/supautils.conf.j2 index 2fefa6496..49d339ceb 100644 --- a/ansible/files/postgresql_config/supautils.conf.j2 +++ b/ansible/files/postgresql_config/supautils.conf.j2 @@ -3,10 +3,10 @@ supautils.policy_grants = '{"postgres":["auth.audit_log_entries","auth.flow_stat supautils.drop_trigger_grants = '{"postgres":["auth.audit_log_entries","auth.flow_state","auth.identities","auth.instances","auth.mfa_amr_claims","auth.mfa_challenges","auth.mfa_factors","auth.oauth_clients","auth.one_time_tokens","auth.refresh_tokens","auth.saml_providers","auth.saml_relay_states","auth.sessions","auth.sso_domains","auth.sso_providers","auth.users","realtime.messages","realtime.subscription","storage.buckets","storage.buckets_analytics","storage.objects","storage.prefixes","storage.s3_multipart_uploads","storage.s3_multipart_uploads_parts"]}' # full list: address_standardizer, address_standardizer_data_us, adminpack, amcheck, autoinc, bloom, btree_gin, btree_gist, citext, cube, dblink, dict_int, dict_xsyn, earthdistance, file_fdw, fuzzystrmatch, hstore, http, hypopg, index_advisor, insert_username, intagg, intarray, isn, lo, ltree, moddatetime, old_snapshot, orioledb, pageinspect, pg_buffercache, pg_cron, pg_freespacemap, pg_graphql, pg_hashids, pg_jsonschema, pg_net, pg_prewarm, pg_repack, pg_stat_monitor, pg_stat_statements, pg_surgery, pg_tle, pg_trgm, pg_visibility, pg_walinspect, pgaudit, pgcrypto, pgjwt, pgmq, pgroonga, pgroonga_database, pgrouting, pgrowlocks, pgsodium, pgstattuple, pgtap, plcoffee, pljava, plls, plpgsql, plpgsql_check, plv8, postgis, postgis_raster, postgis_sfcgal, postgis_tiger_geocoder, postgis_topology, postgres_fdw, refint, rum, seg, sslinfo, supabase_vault, supautils, tablefunc, tcn, timescaledb, tsm_system_rows, tsm_system_time, unaccent, uuid-ossp, vector, wrappers, xml2 # omitted because may be unsafe: adminpack, amcheck, file_fdw, lo, old_snapshot, pageinspect, pg_freespacemap, pg_surgery, pg_visibility -# NOTE: keep nix/tests/prime-superuser.sql in sync with the "may be unsafe" list above. # omitted because deprecated: intagg, xml2 # omitted because doesn't require superuser: pgmq # omitted because protected: plpgsql +# NOTE: keep nix/tests/prime-superuser.sql in sync with the "may be unsafe" + "deprecated" lists above. supautils.privileged_extensions = 'address_standardizer, address_standardizer_data_us, autoinc, bloom, btree_gin, btree_gist, citext, cube, dblink, dict_int, dict_xsyn, earthdistance, fuzzystrmatch, hstore, http, hypopg, index_advisor, insert_username, intarray, isn, ltree, moddatetime, orioledb, pg_buffercache, pg_cron, pg_graphql, pg_hashids, pg_jsonschema, pg_net, pg_prewarm, pg_repack, pg_stat_monitor, pg_stat_statements, pg_tle, pg_trgm, pg_walinspect, pgaudit, pgcrypto, pgjwt, pgroonga, pgroonga_database, pgrouting, pgrowlocks, pgsodium, pgstattuple, pgtap, plcoffee, pljava, plls, plpgsql_check, plv8, postgis, postgis_raster, postgis_sfcgal, postgis_tiger_geocoder, postgis_topology, postgres_fdw, refint, rum, seg, sslinfo, supabase_vault, supautils, tablefunc, tcn, timescaledb, tsm_system_rows, tsm_system_time, unaccent, uuid-ossp, vector, wrappers' supautils.extension_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts' supautils.privileged_extensions_superuser = 'supabase_admin' diff --git a/nix/tests/prime-superuser.sql b/nix/tests/prime-superuser.sql index d2998ce4c..3d3a2c8b7 100644 --- a/nix/tests/prime-superuser.sql +++ b/nix/tests/prime-superuser.sql @@ -1,23 +1,35 @@ -- Superuser-only extensions for testing. -- --- These extensions are excluded from `supautils.privileged_extensions` (see --- the "omitted because may be unsafe" comment in --- `ansible/files/postgresql_config/supautils.conf.j2`). Hosted Supabase --- projects cannot install them via non-superuser sessions, so this file is --- loaded only by superuser-context harnesses: pg_regress (nix/checks.nix), --- the docker-image-test, and the local migrate-tool. supadev's hosted --- engines-with-smoke test sources `prime.sql` only. +-- These extensions cannot be installed by a non-superuser session on a +-- hosted Supabase project. They live here (not in prime.sql) so that +-- prime.sql can be sourced by non-superuser contexts (e.g. supadev's +-- engines-with-smoke against hosted projects). Superuser-context harnesses +-- — pg_regress (nix/checks.nix), the docker-image-test, and the local +-- migrate-tool — source this file in addition to prime.sql. -- --- This file covers the "may be unsafe" extensions available in BOTH PG 15 --- and PG 17 builds. Two more entries from the same list, `adminpack` and --- `old_snapshot`, were removed from contrib in PG 17 and are loaded directly --- by nix/tests/sql/z_15_ext_interface.sql for the PG 15 path. +-- Categories of extensions in here, mapped to supautils.conf.j2 in +-- ansible/files/postgresql_config: -- --- Keep this list in sync with the "may be unsafe" list in supautils.conf.j2, --- minus adminpack and old_snapshot. +-- 1. "omitted because may be unsafe" — supautils.conf.j2. +-- Covers the entries available in BOTH PG 15 and PG 17 builds. Two more +-- entries from the same list, `adminpack` and `old_snapshot`, were +-- removed from contrib in PG 17 and are loaded directly by +-- nix/tests/sql/z_15_ext_interface.sql for the PG 15 path. +-- +-- 2. "omitted because deprecated" — supautils.conf.j2. +-- Not in privileged_extensions, so non-superuser can't install. +-- Note: "deprecated" here is a supautils-policy label, not a +-- build-availability one. These extensions still ship in the PG +-- image; supautils just doesn't auto-elevate non-superusers to +-- install them. As superuser (this file's context), they install +-- fine. +-- +-- When adding a new extension here, also update the corresponding category +-- in supautils.conf.j2 (or add a new comment line if the category is new). set client_min_messages = warning; +-- Category 1: "may be unsafe" per supautils.conf.j2 create extension if not exists amcheck; create extension if not exists file_fdw; create extension if not exists lo; @@ -25,3 +37,7 @@ create extension if not exists pageinspect; create extension if not exists pg_freespacemap; create extension if not exists pg_surgery; create extension if not exists pg_visibility; + +-- Category 2: "deprecated" per supautils.conf.j2 +create extension if not exists intagg; +create extension if not exists xml2; diff --git a/nix/tests/prime.sql b/nix/tests/prime.sql index 015d1ef4f..24fd8f2ea 100644 --- a/nix/tests/prime.sql +++ b/nix/tests/prime.sql @@ -4,12 +4,15 @@ set client_min_messages = warning; -- CREATE ROLE authenticated; -- CREATE ROLE service_role; -- --- Extensions in supautils' "may be unsafe" list (amcheck, file_fdw, lo, --- pageinspect, pg_freespacemap, pg_surgery, pg_visibility) are NOT enabled +-- Extensions that require superuser context to install are NOT enabled -- here so this file can be sourced by non-superuser contexts (e.g. supadev's --- engines-with-smoke against hosted projects). Superuser-context harnesses --- (nix/checks.nix, docker-image-test, migrate-tool) source prime-superuser.sql --- in addition to this file. +-- engines-with-smoke against hosted projects). They live in +-- prime-superuser.sql instead — that covers: +-- - the "may be unsafe" list from supautils.conf.j2 +-- (amcheck, file_fdw, lo, pageinspect, pg_freespacemap, pg_surgery, pg_visibility) +-- - the "deprecated" list from supautils.conf.j2 (intagg, xml2) +-- Superuser-context harnesses (nix/checks.nix, docker-image-test, +-- migrate-tool) source prime-superuser.sql in addition to this file. create extension if not exists address_standardizer; create extension if not exists address_standardizer_data_us; create extension if not exists autoinc; @@ -28,7 +31,6 @@ create extension if not exists hstore; create extension if not exists hypopg; create extension if not exists index_advisor; create extension if not exists insert_username; -create extension if not exists intagg; create extension if not exists intarray; create extension if not exists isn; create extension if not exists ltree; @@ -84,4 +86,3 @@ create extension if not exists unaccent; create extension if not exists "uuid-ossp"; create extension if not exists vector; create extension if not exists wrappers; -create extension if not exists xml2;