From b82b3f1f39ad56b5e5dcd558b4be73814d85fbdf Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Fri, 3 Apr 2026 21:47:37 +0300 Subject: [PATCH 1/2] enable safeupdate for anon, authenticator and authenticator roles by default, loadable by postgres --- .../20260403172611_safeupdate-data-api-enable.sql | 15 +++++++++++++++ nix/ext/pg-safeupdate.nix | 12 ++++++------ nix/tests/expected/pg-safeupdate.out | 2 +- nix/tests/expected/roles.out | 12 ++++++------ nix/tests/sql/pg-safeupdate.sql | 2 +- 5 files changed, 29 insertions(+), 14 deletions(-) create mode 100644 migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql diff --git a/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql new file mode 100644 index 0000000000..ea7192ae7b --- /dev/null +++ b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql @@ -0,0 +1,15 @@ +-- migrate:up +ALTER ROLE anon SET local_preload_libraries = '$libdir/plugins/safeupdate'; +ALTER ROLE authenticator SET local_preload_libraries = '$libdir/plugins/safeupdate'; +ALTER ROLE authenticated SET local_preload_libraries = '$libdir/plugins/safeupdate'; +ALTER ROLE authenticator RESET session_preload_libraries; +ALTER ROLE postgres SET local_preload_libraries = '$libdir/plugins/safeupdate'; + +ALTER ROLE anon SET safeupdate.enabled = 1; +ALTER ROLE authenticator SET safeupdate.enabled = 1; +ALTER ROLE authenticated SET safeupdate.enabled = 1; +ALTER ROLE postgres SET safeupdate.enabled = 0; + + +-- migrate:down + diff --git a/nix/ext/pg-safeupdate.nix b/nix/ext/pg-safeupdate.nix index 97921c9c6c..814ec58234 100644 --- a/nix/ext/pg-safeupdate.nix +++ b/nix/ext/pg-safeupdate.nix @@ -28,9 +28,9 @@ let runHook preInstall mkdir -p $out/share/postgresql/extension - + mkdir -p $out/lib/plugins # Install versioned library - install -Dm755 ${pname}${postgresql.dlSuffix} $out/lib/${pname}-${version}${postgresql.dlSuffix} + install -Dm755 ${pname}${postgresql.dlSuffix} $out/lib/plugins/${pname}-${version}${postgresql.dlSuffix} runHook postInstall ''; @@ -64,15 +64,15 @@ pkgs.buildEnv { paths = packages; nativeBuildInputs = [ makeWrapper ]; pathsToLink = [ - "/lib" + "/lib/plugins" "/share/postgresql/extension" ]; postBuild = '' - ln -sfn ${pname}-${latestVersion}${postgresql.dlSuffix} $out/lib/${pname}${postgresql.dlSuffix} + ln -sfn ${pname}-${latestVersion}${postgresql.dlSuffix} $out/lib/plugins/${pname}${postgresql.dlSuffix} # checks (set -x - test "$(ls -A $out/lib/${pname}*${postgresql.dlSuffix} | wc -l)" = "${ + test "$(ls -A $out/lib/plugins/${pname}*${postgresql.dlSuffix} | wc -l)" = "${ toString (numberOfVersionsBuilt + 1) }" ) @@ -83,7 +83,7 @@ pkgs.buildEnv { numberOfVersions = numberOfVersionsBuilt; inherit pname latestOnly; defaultSettings = { - shared_preload_libraries = [ "safeupdate" ]; + local_preload_libraries = [ "safeupdate" ]; }; pgRegressTestName = "pg-safeupdate"; version = diff --git a/nix/tests/expected/pg-safeupdate.out b/nix/tests/expected/pg-safeupdate.out index f9100116ac..21948552e4 100644 --- a/nix/tests/expected/pg-safeupdate.out +++ b/nix/tests/expected/pg-safeupdate.out @@ -1,4 +1,4 @@ -load 'safeupdate'; +load '$libdir/plugins/safeupdate'; set safeupdate.enabled=1; create schema v; create table v.foo( diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out index a457f40297..fc06a2f9c3 100644 --- a/nix/tests/expected/roles.out +++ b/nix/tests/expected/roles.out @@ -60,11 +60,11 @@ select from pg_roles r where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') order by rolname; - rolname | rolconfig -----------------------------+--------------------------------------------------------------------------------- - anon | {statement_timeout=3s} - authenticated | {statement_timeout=8s} - authenticator | {session_preload_libraries=safeupdate,statement_timeout=8s,lock_timeout=8s} + rolname | rolconfig +----------------------------+------------------------------------------------------------------------------------------------------------------------------- + anon | {statement_timeout=3s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} + authenticated | {statement_timeout=8s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} + authenticator | {statement_timeout=8s,lock_timeout=8s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} dashboard_user | pg_checkpoint | pg_database_owner | @@ -83,7 +83,7 @@ order by rolname; pgsodium_keyiduser | pgsodium_keymaker | pgtle_admin | - postgres | {"search_path=\"\\$user\", public, extensions"} + postgres | {"search_path=\"\\$user\", public, extensions","local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=0} service_role | supabase_admin | {"search_path=\"$user\", public, auth, extensions",log_statement=none} supabase_auth_admin | {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none} diff --git a/nix/tests/sql/pg-safeupdate.sql b/nix/tests/sql/pg-safeupdate.sql index 790ec79fa1..fe25137a13 100644 --- a/nix/tests/sql/pg-safeupdate.sql +++ b/nix/tests/sql/pg-safeupdate.sql @@ -1,4 +1,4 @@ -load 'safeupdate'; +load '$libdir/plugins/safeupdate'; set safeupdate.enabled=1; From 85247b50f0a5c8b84e637a9400ba0efe95824a58 Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Fri, 3 Apr 2026 23:32:36 +0300 Subject: [PATCH 2/2] fix: update oriole tests for roles --- nix/tests/expected/z_multigres-orioledb-17_roles.out | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/nix/tests/expected/z_multigres-orioledb-17_roles.out b/nix/tests/expected/z_multigres-orioledb-17_roles.out index a307b2014b..43713224a8 100644 --- a/nix/tests/expected/z_multigres-orioledb-17_roles.out +++ b/nix/tests/expected/z_multigres-orioledb-17_roles.out @@ -57,11 +57,11 @@ select from pg_roles r where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') order by rolname; - rolname | rolconfig -----------------------------+--------------------------------------------------------------------------------- - anon | {statement_timeout=3s} - authenticated | {statement_timeout=8s} - authenticator | {session_preload_libraries=safeupdate,statement_timeout=8s,lock_timeout=8s} + rolname | rolconfig +----------------------------+------------------------------------------------------------------------------------------------------------------------------- + anon | {statement_timeout=3s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} + authenticated | {statement_timeout=8s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} + authenticator | {statement_timeout=8s,lock_timeout=8s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} dashboard_user | pg_checkpoint | pg_database_owner | @@ -77,7 +77,7 @@ order by rolname; pg_write_server_files | pgbouncer | pgtle_admin | - postgres | {"search_path=\"\\$user\", public, extensions"} + postgres | {"search_path=\"\\$user\", public, extensions","local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=0} service_role | supabase_admin | {"search_path=\"\\$user\", public, auth, extensions",log_statement=none} supabase_auth_admin | {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none}