npm - @supabase/pg-delta - Versions diffs - 1.0.0-alpha.21 → 1.0.0-alpha.23 - Mend

@supabase/pg-delta 1.0.0-alpha.21 → 1.0.0-alpha.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (271) hide show

package/src/core/objects/materialized-view/changes/materialized-view.base.ts CHANGED Viewed

@@ -3,7 +3,11 @@ import type { MaterializedView } from "../materialized-view.model.ts";
 abstract class BaseMaterializedViewChange extends BaseChange {
   abstract readonly materializedView: MaterializedView;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "materialized_view" = "materialized_view";
 }

package/src/core/objects/materialized-view/changes/materialized-view.security-label.test.ts ADDED Viewed

@@ -0,0 +1,63 @@
+import { describe, expect, test } from "bun:test";
+import { assertValidSql } from "../../../test-utils/assert-valid-sql.ts";
+import { stableId } from "../../utils.ts";
+import {
+  MaterializedView,
+  type MaterializedViewProps,
+} from "../materialized-view.model.ts";
+import {
+  CreateSecurityLabelOnMaterializedView,
+  DropSecurityLabelOnMaterializedView,
+} from "./materialized-view.security-label.ts";
+const makeMV = (): MaterializedView =>
+  new MaterializedView({
+    schema: "public",
+    name: "mv",
+    definition: "SELECT 1",
+    row_security: false,
+    force_row_security: false,
+    has_indexes: false,
+    has_rules: false,
+    has_triggers: false,
+    has_subclasses: false,
+    is_populated: true,
+    replica_identity: "d",
+    is_partition: false,
+    options: null,
+    partition_bound: null,
+    owner: "postgres",
+    comment: null,
+    columns: [],
+    privileges: [],
+  } as MaterializedViewProps);
+describe("materialized-view.security-label", () => {
+  test("create serializes", async () => {
+    const mv = makeMV();
+    const change = new CreateSecurityLabelOnMaterializedView({
+      materializedView: mv,
+      securityLabel: { provider: "dummy", label: "classified" },
+    });
+    expect(change.scope).toBe("security_label");
+    expect(change.creates).toEqual([
+      stableId.securityLabel(mv.stableId, "dummy"),
+    ]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR dummy ON MATERIALIZED VIEW public.mv IS 'classified'",
+    );
+  });
+  test("drop serializes to IS NULL", async () => {
+    const mv = makeMV();
+    const change = new DropSecurityLabelOnMaterializedView({
+      materializedView: mv,
+      securityLabel: { provider: "dummy", label: "x" },
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR dummy ON MATERIALIZED VIEW public.mv IS NULL",
+    );
+  });
+});

package/src/core/objects/materialized-view/changes/materialized-view.security-label.ts ADDED Viewed

@@ -0,0 +1,95 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { MaterializedView } from "../materialized-view.model.ts";
+import {
+  CreateMaterializedViewChange,
+  DropMaterializedViewChange,
+} from "./materialized-view.base.ts";
+export type SecurityLabelMaterializedView =
+  | CreateSecurityLabelOnMaterializedView
+  | DropSecurityLabelOnMaterializedView;
+export class CreateSecurityLabelOnMaterializedView extends CreateMaterializedViewChange {
+  public readonly materializedView: MaterializedView;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: {
+    materializedView: MaterializedView;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.materializedView = props.materializedView;
+    this.securityLabel = props.securityLabel;
+  }
+  get creates() {
+    return [
+      stableId.securityLabel(
+        this.materializedView.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+  get requires() {
+    return [this.materializedView.stableId];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON MATERIALIZED VIEW",
+      `${this.materializedView.schema}.${this.materializedView.name}`,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+export class DropSecurityLabelOnMaterializedView extends DropMaterializedViewChange {
+  public readonly materializedView: MaterializedView;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: {
+    materializedView: MaterializedView;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.materializedView = props.materializedView;
+    this.securityLabel = props.securityLabel;
+  }
+  get drops() {
+    return [
+      stableId.securityLabel(
+        this.materializedView.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+  get requires() {
+    return [
+      stableId.securityLabel(
+        this.materializedView.stableId,
+        this.securityLabel.provider,
+      ),
+      this.materializedView.stableId,
+    ];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON MATERIALIZED VIEW",
+      `${this.materializedView.schema}.${this.materializedView.name}`,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/materialized-view/changes/materialized-view.types.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import type { CommentMaterializedView } from "./materialized-view.comment.ts";
 import type { CreateMaterializedView } from "./materialized-view.create.ts";
 import type { DropMaterializedView } from "./materialized-view.drop.ts";
 import type { MaterializedViewPrivilege } from "./materialized-view.privilege.ts";
+import type { SecurityLabelMaterializedView } from "./materialized-view.security-label.ts";
 /** Union of all materialized-view-related change variants (`objectType: "materialized_view"`). @category Change Types */
 export type MaterializedViewChange =
@@ -10,4 +11,5 @@ export type MaterializedViewChange =
   | CommentMaterializedView
   | CreateMaterializedView
   | DropMaterializedView
-  | MaterializedViewPrivilege;
+  | MaterializedViewPrivilege
+  | SecurityLabelMaterializedView;

package/src/core/objects/materialized-view/materialized-view.diff.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import {
   emitColumnPrivilegeChanges,
 } from "../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { deepEqual, hasNonAlterableChanges } from "../utils.ts";
 import {
   AlterMaterializedViewChangeOwner,
@@ -22,6 +23,10 @@ import {
   RevokeGrantOptionMaterializedViewPrivileges,
   RevokeMaterializedViewPrivileges,
 } from "./changes/materialized-view.privilege.ts";
+import {
+  CreateSecurityLabelOnMaterializedView,
+  DropSecurityLabelOnMaterializedView,
+} from "./changes/materialized-view.security-label.ts";
 import type { MaterializedViewChange } from "./changes/materialized-view.types.ts";
 import type { MaterializedView } from "./materialized-view.model.ts";
@@ -88,6 +93,17 @@ export function diffMaterializedViews(
       }
     }
+    // Security labels on the matview itself (columns of matviews are not
+    // supported targets of SECURITY LABEL, so we only label the relation).
+    for (const label of mv.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnMaterializedView({
+          materializedView: mv,
+          securityLabel: label,
+        }),
+      );
+    }
     // PRIVILEGES: For created objects, compare against default privileges state
     // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
     // so objects are created with the default privileges state in effect.
@@ -241,6 +257,27 @@ export function diffMaterializedViews(
           );
         }
       }
+      // SECURITY LABELS
+      changes.push(
+        ...diffSecurityLabels<
+          | CreateSecurityLabelOnMaterializedView
+          | DropSecurityLabelOnMaterializedView
+        >(
+          mainMaterializedView.security_labels,
+          branchMaterializedView.security_labels,
+          (securityLabel) =>
+            new CreateSecurityLabelOnMaterializedView({
+              materializedView: branchMaterializedView,
+              securityLabel,
+            }),
+          (securityLabel) =>
+            new DropSecurityLabelOnMaterializedView({
+              materializedView: mainMaterializedView,
+              securityLabel,
+            }),
+        ),
+      );
       // COMMENT changes on columns
       const mainCols = new Map(
         mainMaterializedView.columns.map((c) => [c.name, c]),

package/src/core/objects/materialized-view/materialized-view.model.test.ts ADDED Viewed

@@ -0,0 +1,93 @@
+import { describe, expect, test } from "bun:test";
+import type { Pool } from "pg";
+import {
+  extractMaterializedViews,
+  MaterializedView,
+} from "./materialized-view.model.ts";
+const baseRow = {
+  schema: "public",
+  row_security: false,
+  force_row_security: false,
+  has_indexes: false,
+  has_rules: false,
+  has_triggers: false,
+  has_subclasses: false,
+  is_populated: true,
+  replica_identity: "d" as const,
+  is_partition: false,
+  options: null,
+  partition_bound: null,
+  owner: "postgres",
+  comment: null,
+  columns: [],
+  privileges: [],
+};
+const mockPool = (rows: unknown[]): Pool =>
+  ({ query: async () => ({ rows }) }) as unknown as Pool;
+const mockPoolSequence = (...attempts: unknown[][]): Pool => {
+  let i = 0;
+  return {
+    query: async () => ({
+      rows: attempts[Math.min(i++, attempts.length - 1)],
+    }),
+  } as unknown as Pool;
+};
+const NO_BACKOFF = { backoffMs: 0 } as const;
+describe("extractMaterializedViews", () => {
+  test("skips rows where pg_get_viewdef returned NULL after exhausting retries", async () => {
+    const mvs = await extractMaterializedViews(
+      mockPool([
+        {
+          ...baseRow,
+          name: '"good_mv"',
+          definition: "SELECT 1",
+        },
+        { ...baseRow, name: '"orphan_mv"', definition: null },
+      ]),
+      NO_BACKOFF,
+    );
+    expect(mvs).toHaveLength(1);
+    expect(mvs[0]).toBeInstanceOf(MaterializedView);
+    expect(mvs[0]?.name).toBe('"good_mv"');
+    expect(mvs[0]?.definition).toBe("SELECT 1");
+  });
+  test("does not throw ZodError when the only row has a null definition", async () => {
+    await expect(
+      extractMaterializedViews(
+        mockPool([{ ...baseRow, name: '"orphan"', definition: null }]),
+        NO_BACKOFF,
+      ),
+    ).resolves.toEqual([]);
+  });
+  test("returns all materialized views when every row has a valid definition", async () => {
+    const mvs = await extractMaterializedViews(
+      mockPool([
+        { ...baseRow, name: '"a"', definition: "SELECT 1" },
+        { ...baseRow, name: '"b"', definition: "SELECT 2" },
+      ]),
+      NO_BACKOFF,
+    );
+    expect(mvs.map((m) => m.name)).toEqual(['"a"', '"b"']);
+  });
+  test("recovers when pg_get_viewdef is NULL on first attempt but resolved on retry", async () => {
+    const mvs = await extractMaterializedViews(
+      mockPoolSequence(
+        [{ ...baseRow, name: '"racy_mv"', definition: null }],
+        [{ ...baseRow, name: '"racy_mv"', definition: "SELECT 42" }],
+      ),
+      { retries: 2, backoffMs: 0 },
+    );
+    expect(mvs).toHaveLength(1);
+    expect(mvs[0]?.name).toBe('"racy_mv"');
+    expect(mvs[0]?.definition).toBe("SELECT 42");
+  });
+});

package/src/core/objects/materialized-view/materialized-view.model.ts CHANGED Viewed

@@ -10,6 +10,15 @@ import {
   type PrivilegeProps,
   privilegePropsSchema,
 } from "../base.privilege-diff.ts";
+import {
+  type ExtractRetryOptions,
+  extractWithDefinitionRetry,
+} from "../extract-with-retry.ts";
+import {
+  normalizeSecurityLabels,
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 import { ReplicaIdentitySchema } from "../table/table.model.ts";
 const materializedViewPropsSchema = z.object({
@@ -31,6 +40,16 @@ const materializedViewPropsSchema = z.object({
   comment: z.string().nullable(),
   columns: z.array(columnPropsSchema),
   privileges: z.array(privilegePropsSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
+});
+// pg_get_viewdef(oid) can return NULL when the underlying matview (or its
+// pg_rewrite row) is dropped between catalog scan and resolution, or under
+// transient catalog state during recovery. An unreadable matview cannot be
+// diffed, so we accept NULL here and filter the row out at extraction time
+// rather than crashing the whole catalog parse with a ZodError.
+const materializedViewRowSchema = materializedViewPropsSchema.extend({
+  definition: z.string().nullable(),
 });
 type MaterializedViewPrivilegeProps = PrivilegeProps;
@@ -55,6 +74,7 @@ export class MaterializedView extends BasePgModel implements TableLikeObject {
   public readonly comment: MaterializedViewProps["comment"];
   public readonly columns: MaterializedViewProps["columns"];
   public readonly privileges: MaterializedViewPrivilegeProps[];
+  public readonly security_labels: SecurityLabelProps[];
   constructor(props: MaterializedViewProps) {
     super();
@@ -80,6 +100,7 @@ export class MaterializedView extends BasePgModel implements TableLikeObject {
     this.comment = props.comment;
     this.columns = props.columns;
     this.privileges = props.privileges;
+    this.security_labels = props.security_labels ?? [];
   }
   get stableId(): `materializedView:${string}` {
@@ -111,6 +132,7 @@ export class MaterializedView extends BasePgModel implements TableLikeObject {
       comment: this.comment,
       columns: this.columns,
       privileges: this.privileges,
+      security_labels: this.security_labels,
     };
   }
@@ -135,6 +157,7 @@ export class MaterializedView extends BasePgModel implements TableLikeObject {
       data: {
         ...this.dataFields,
         columns: normalizeColumns(),
+        security_labels: normalizeSecurityLabels(this.security_labels),
       },
     };
   }
@@ -142,8 +165,14 @@ export class MaterializedView extends BasePgModel implements TableLikeObject {
 export async function extractMaterializedViews(
   pool: Pool,
+  options?: ExtractRetryOptions,
 ): Promise<MaterializedView[]> {
-  const { rows: mvRows } = await pool.query<MaterializedViewProps>(sql`
+  const mvRows = await extractWithDefinitionRetry({
+    label: "materialized views",
+    options,
+    hasNullDefinition: (row) => row.definition === null,
+    query: async () => {
+      const result = await pool.query<MaterializedViewProps>(sql`
 with extension_oids as (
   select
     objid
@@ -233,7 +262,20 @@ select
       join lateral aclexplode(src.acl) as x(grantor, grantee, privilege_type, is_grantable) on true
       group by x.grantee, x.privilege_type
     ) as grp
-  ), '[]') as privileges
+  ), '[]') as privileges,
+  coalesce(
+    (
+      select json_agg(
+        json_build_object('provider', sl.provider, 'label', sl.label)
+        order by sl.provider
+      )
+      from pg_catalog.pg_seclabel sl
+      where sl.objoid = c.oid
+        and sl.classoid = 'pg_class'::regclass
+        and sl.objsubid = 0
+    ),
+    '[]'::json
+  ) as security_labels
 from
   pg_catalog.pg_class c
   left outer join extension_oids e on c.oid = e.objid
@@ -248,11 +290,13 @@ group by
 order by
   c.relnamespace::regnamespace, c.relname
   `);
-  // Validate and parse each row using the Zod schema
-  const validatedRows = mvRows.map((row: unknown) =>
-    materializedViewPropsSchema.parse(row),
-  );
-  return validatedRows.map(
-    (row: MaterializedViewProps) => new MaterializedView(row),
+      return result.rows.map((row: unknown) =>
+        materializedViewRowSchema.parse(row),
+      );
+    },
+  });
+  const validatedRows = mvRows.filter(
+    (row): row is MaterializedViewProps => row.definition !== null,
   );
+  return validatedRows.map((row) => new MaterializedView(row));
 }

package/src/core/objects/procedure/changes/procedure.base.ts CHANGED Viewed

@@ -3,7 +3,11 @@ import type { Procedure } from "../procedure.model.ts";
 abstract class BaseProcedureChange extends BaseChange {
   abstract readonly procedure: Procedure;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "procedure" = "procedure";
 }

package/src/core/objects/procedure/changes/procedure.security-label.ts ADDED Viewed

@@ -0,0 +1,105 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { Procedure } from "../procedure.model.ts";
+import {
+  CreateProcedureChange,
+  DropProcedureChange,
+} from "./procedure.base.ts";
+export type SecurityLabelProcedure =
+  | CreateSecurityLabelOnProcedure
+  | DropSecurityLabelOnProcedure;
+function targetKeyword(p: Procedure): "FUNCTION" | "PROCEDURE" {
+  return p.kind === "p" ? "PROCEDURE" : "FUNCTION";
+}
+function procedureIdentity(p: Procedure): string {
+  return `${p.schema}.${p.name}(${(p.argument_types ?? []).join(",")})`;
+}
+export class CreateSecurityLabelOnProcedure extends CreateProcedureChange {
+  public readonly procedure: Procedure;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: {
+    procedure: Procedure;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.procedure = props.procedure;
+    this.securityLabel = props.securityLabel;
+  }
+  get creates() {
+    return [
+      stableId.securityLabel(
+        this.procedure.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+  get requires() {
+    return [this.procedure.stableId];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON",
+      targetKeyword(this.procedure),
+      procedureIdentity(this.procedure),
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+export class DropSecurityLabelOnProcedure extends DropProcedureChange {
+  public readonly procedure: Procedure;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: {
+    procedure: Procedure;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.procedure = props.procedure;
+    this.securityLabel = props.securityLabel;
+  }
+  get drops() {
+    return [
+      stableId.securityLabel(
+        this.procedure.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+  get requires() {
+    return [
+      stableId.securityLabel(
+        this.procedure.stableId,
+        this.securityLabel.provider,
+      ),
+      this.procedure.stableId,
+    ];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON",
+      targetKeyword(this.procedure),
+      procedureIdentity(this.procedure),
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/procedure/changes/procedure.types.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import type { CommentProcedure } from "./procedure.comment.ts";
 import type { CreateProcedure } from "./procedure.create.ts";
 import type { DropProcedure } from "./procedure.drop.ts";
 import type { ProcedurePrivilege } from "./procedure.privilege.ts";
+import type { SecurityLabelProcedure } from "./procedure.security-label.ts";
 /** Union of all procedure-related change variants (`objectType: "procedure"`). @category Change Types */
 export type ProcedureChange =
@@ -10,4 +11,5 @@ export type ProcedureChange =
   | CommentProcedure
   | CreateProcedure
   | DropProcedure
-  | ProcedurePrivilege;
+  | ProcedurePrivilege
+  | SecurityLabelProcedure;

package/src/core/objects/procedure/procedure.diff.ts CHANGED Viewed

@@ -5,6 +5,7 @@ import {
   filterPublicBuiltInDefaults,
 } from "../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { deepEqual, hasNonAlterableChanges } from "../utils.ts";
 import {
   AlterProcedureChangeOwner,
@@ -26,6 +27,10 @@ import {
   RevokeGrantOptionProcedurePrivileges,
   RevokeProcedurePrivileges,
 } from "./changes/procedure.privilege.ts";
+import {
+  CreateSecurityLabelOnProcedure,
+  DropSecurityLabelOnProcedure,
+} from "./changes/procedure.security-label.ts";
 import type { ProcedureChange } from "./changes/procedure.types.ts";
 import type { Procedure } from "./procedure.model.ts";
@@ -66,6 +71,14 @@ export function diffProcedures(
     if (proc.comment !== null) {
       changes.push(new CreateCommentOnProcedure({ procedure: proc }));
     }
+    for (const label of proc.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnProcedure({
+          procedure: proc,
+          securityLabel: label,
+        }),
+      );
+    }
     // PRIVILEGES: For created objects, compare against default privileges state
     // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
@@ -225,6 +238,26 @@ export function diffProcedures(
         }
       }
+      // SECURITY LABELS
+      changes.push(
+        ...diffSecurityLabels<
+          CreateSecurityLabelOnProcedure | DropSecurityLabelOnProcedure
+        >(
+          mainProcedure.security_labels,
+          branchProcedure.security_labels,
+          (securityLabel) =>
+            new CreateSecurityLabelOnProcedure({
+              procedure: branchProcedure,
+              securityLabel,
+            }),
+          (securityLabel) =>
+            new DropSecurityLabelOnProcedure({
+              procedure: mainProcedure,
+              securityLabel,
+            }),
+        ),
+      );
       // SECURITY DEFINER/INVOKER
       if (mainProcedure.security_definer !== branchProcedure.security_definer) {
         changes.push(