@supabase/pg-delta 1.0.0-alpha.22 → 1.0.0-alpha.23

package/src/core/objects/domain/domain.model.ts

@@ -6,6 +6,10 @@ import {
   type PrivilegeProps,
   privilegePropsSchema,
 } from "../base.privilege-diff.ts";
+import {
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 
 const domainConstraintPropsSchema = z.object({
   name: z.string(),
@@ -31,6 +35,7 @@ const domainPropsSchema = z.object({
   comment: z.string().nullable(),
   constraints: z.array(domainConstraintPropsSchema),
   privileges: z.array(privilegePropsSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 
 export type DomainConstraintProps = z.infer<typeof domainConstraintPropsSchema>;
@@ -58,6 +63,7 @@ export class Domain extends BasePgModel {
   public readonly comment: DomainProps["comment"];
   public readonly constraints: DomainConstraintProps[];
   public readonly privileges: DomainPrivilegeProps[];
+  public readonly security_labels: SecurityLabelProps[];
 
   constructor(props: DomainProps) {
     super();
@@ -80,6 +86,7 @@ export class Domain extends BasePgModel {
     this.comment = props.comment;
     this.constraints = props.constraints;
     this.privileges = props.privileges;
+    this.security_labels = props.security_labels ?? [];
   }
 
   get stableId(): `domain:${string}` {
@@ -107,6 +114,7 @@ export class Domain extends BasePgModel {
       comment: this.comment,
       constraints: this.constraints,
       privileges: this.privileges,
+      security_labels: this.security_labels,
     };
   }
 }
@@ -170,7 +178,20 @@ export async function extractDomains(pool: Pool): Promise<Domain[]> {
             )
             from lateral aclexplode(COALESCE(t.typacl, acldefault('T', t.typowner))) as x(grantor, grantee, privilege_type, is_grantable)
           ), '[]'
-        ) as privileges
+        ) as privileges,
+        coalesce(
+          (
+            select json_agg(
+              json_build_object('provider', sl.provider, 'label', sl.label)
+              order by sl.provider
+            )
+            from pg_catalog.pg_seclabel sl
+            where sl.objoid = t.oid
+              and sl.classoid = 'pg_type'::regclass
+              and sl.objsubid = 0
+          ),
+          '[]'::json
+        ) as security_labels
       from
         pg_catalog.pg_type t
         inner join pg_catalog.pg_type bt on bt.oid = t.typbasetype

package/src/core/objects/event-trigger/changes/event-trigger.base.ts

@@ -3,7 +3,7 @@ import type { EventTrigger } from "../event-trigger.model.ts";
 
 abstract class BaseEventTriggerChange extends BaseChange {
   abstract readonly eventTrigger: EventTrigger;
-  abstract readonly scope: "object" | "comment";
+  abstract readonly scope: "object" | "comment" | "security_label";
   readonly objectType = "event_trigger" as const;
 }
 

package/src/core/objects/event-trigger/changes/event-trigger.security-label.ts

@@ -0,0 +1,95 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { EventTrigger } from "../event-trigger.model.ts";
+import {
+  CreateEventTriggerChange,
+  DropEventTriggerChange,
+} from "./event-trigger.base.ts";
+
+export type SecurityLabelEventTrigger =
+  | CreateSecurityLabelOnEventTrigger
+  | DropSecurityLabelOnEventTrigger;
+
+export class CreateSecurityLabelOnEventTrigger extends CreateEventTriggerChange {
+  public readonly eventTrigger: EventTrigger;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+
+  constructor(props: {
+    eventTrigger: EventTrigger;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.eventTrigger = props.eventTrigger;
+    this.securityLabel = props.securityLabel;
+  }
+
+  get creates() {
+    return [
+      stableId.securityLabel(
+        this.eventTrigger.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+
+  get requires() {
+    return [this.eventTrigger.stableId];
+  }
+
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON EVENT TRIGGER",
+      this.eventTrigger.name,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+
+export class DropSecurityLabelOnEventTrigger extends DropEventTriggerChange {
+  public readonly eventTrigger: EventTrigger;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+
+  constructor(props: {
+    eventTrigger: EventTrigger;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.eventTrigger = props.eventTrigger;
+    this.securityLabel = props.securityLabel;
+  }
+
+  get drops() {
+    return [
+      stableId.securityLabel(
+        this.eventTrigger.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+
+  get requires() {
+    return [
+      stableId.securityLabel(
+        this.eventTrigger.stableId,
+        this.securityLabel.provider,
+      ),
+      this.eventTrigger.stableId,
+    ];
+  }
+
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON EVENT TRIGGER",
+      this.eventTrigger.name,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/event-trigger/changes/event-trigger.types.ts

@@ -2,10 +2,12 @@ import type { AlterEventTrigger } from "./event-trigger.alter.ts";
 import type { CommentEventTrigger } from "./event-trigger.comment.ts";
 import type { CreateEventTrigger } from "./event-trigger.create.ts";
 import type { DropEventTrigger } from "./event-trigger.drop.ts";
+import type { SecurityLabelEventTrigger } from "./event-trigger.security-label.ts";
 
 /** Union of all event-trigger-related change variants (`objectType: "event_trigger"`). @category Change Types */
 export type EventTriggerChange =
   | AlterEventTrigger
   | CommentEventTrigger
   | CreateEventTrigger
-  | DropEventTrigger;
+  | DropEventTrigger
+  | SecurityLabelEventTrigger;

package/src/core/objects/event-trigger/event-trigger.diff.ts

@@ -1,5 +1,6 @@
 import { diffObjects } from "../base.diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { deepEqual, hasNonAlterableChanges } from "../utils.ts";
 import {
   AlterEventTriggerChangeOwner,
@@ -11,6 +12,10 @@ import {
 } from "./changes/event-trigger.comment.ts";
 import { CreateEventTrigger } from "./changes/event-trigger.create.ts";
 import { DropEventTrigger } from "./changes/event-trigger.drop.ts";
+import {
+  CreateSecurityLabelOnEventTrigger,
+  DropSecurityLabelOnEventTrigger,
+} from "./changes/event-trigger.security-label.ts";
 import type { EventTriggerChange } from "./changes/event-trigger.types.ts";
 import type { EventTrigger } from "./event-trigger.model.ts";
 
@@ -49,6 +54,14 @@ export function diffEventTriggers(
     if (eventTrigger.comment !== null) {
       changes.push(new CreateCommentOnEventTrigger({ eventTrigger }));
     }
+    for (const label of eventTrigger.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnEventTrigger({
+          eventTrigger,
+          securityLabel: label,
+        }),
+      );
+    }
   }
 
   for (const eventTriggerId of dropped) {
@@ -121,6 +134,26 @@ export function diffEventTriggers(
         );
       }
     }
+
+    // SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnEventTrigger | DropSecurityLabelOnEventTrigger
+      >(
+        mainEventTrigger.security_labels,
+        branchEventTrigger.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnEventTrigger({
+            eventTrigger: branchEventTrigger,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnEventTrigger({
+            eventTrigger: mainEventTrigger,
+            securityLabel,
+          }),
+      ),
+    );
   }
 
   return changes;

package/src/core/objects/event-trigger/event-trigger.model.ts

@@ -2,6 +2,10 @@ import { sql } from "@ts-safeql/sql-tag";
 import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel } from "../base.model.ts";
+import {
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 
 const EventTriggerEnabledSchema = z.enum([
   "O", // ORIGIN - trigger fires in origin mode
@@ -19,6 +23,7 @@ const eventTriggerPropsSchema = z.object({
   tags: z.array(z.string()).nullable(),
   owner: z.string(),
   comment: z.string().nullable(),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 
 export type EventTriggerProps = z.infer<typeof eventTriggerPropsSchema>;
@@ -32,6 +37,7 @@ export class EventTrigger extends BasePgModel {
   public readonly tags: EventTriggerProps["tags"];
   public readonly owner: EventTriggerProps["owner"];
   public readonly comment: EventTriggerProps["comment"];
+  public readonly security_labels: SecurityLabelProps[];
 
   constructor(props: EventTriggerProps) {
     super();
@@ -47,6 +53,7 @@ export class EventTrigger extends BasePgModel {
     this.tags = props.tags;
     this.owner = props.owner;
     this.comment = props.comment;
+    this.security_labels = props.security_labels ?? [];
   }
 
   get stableId(): `eventTrigger:${string}` {
@@ -68,6 +75,7 @@ export class EventTrigger extends BasePgModel {
       tags: this.tags,
       owner: this.owner,
       comment: this.comment,
+      security_labels: this.security_labels,
     };
   }
 }
@@ -90,7 +98,20 @@ select
   et.evtenabled as enabled,
   et.evttags as tags,
   et.evtowner::regrole::text as owner,
-  obj_description(et.oid, 'pg_event_trigger') as comment
+  obj_description(et.oid, 'pg_event_trigger') as comment,
+  coalesce(
+    (
+      select json_agg(
+        json_build_object('provider', sl.provider, 'label', sl.label)
+        order by sl.provider
+      )
+      from pg_catalog.pg_seclabel sl
+      where sl.objoid = et.oid
+        and sl.classoid = 'pg_event_trigger'::regclass
+        and sl.objsubid = 0
+    ),
+    '[]'::json
+  ) as security_labels
 from pg_catalog.pg_event_trigger et
 join pg_catalog.pg_proc p on p.oid = et.evtfoid
 left join extension_oids e on e.objid = et.oid

package/src/core/objects/foreign-data-wrapper/foreign-table/changes/foreign-table.base.ts

@@ -3,7 +3,11 @@ import type { ForeignTable } from "../foreign-table.model.ts";
 
 abstract class BaseForeignTableChange extends BaseChange {
   abstract readonly foreignTable: ForeignTable;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "foreign_table" = "foreign_table";
 }
 

package/src/core/objects/foreign-data-wrapper/foreign-table/changes/foreign-table.security-label.ts

@@ -0,0 +1,95 @@
+import { quoteLiteral } from "../../../base.change.ts";
+import type { SecurityLabelProps } from "../../../security-label.types.ts";
+import { stableId } from "../../../utils.ts";
+import type { ForeignTable } from "../foreign-table.model.ts";
+import {
+  CreateForeignTableChange,
+  DropForeignTableChange,
+} from "./foreign-table.base.ts";
+
+export type SecurityLabelForeignTable =
+  | CreateSecurityLabelOnForeignTable
+  | DropSecurityLabelOnForeignTable;
+
+export class CreateSecurityLabelOnForeignTable extends CreateForeignTableChange {
+  public readonly foreignTable: ForeignTable;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+
+  constructor(props: {
+    foreignTable: ForeignTable;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.foreignTable = props.foreignTable;
+    this.securityLabel = props.securityLabel;
+  }
+
+  get creates() {
+    return [
+      stableId.securityLabel(
+        this.foreignTable.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+
+  get requires() {
+    return [this.foreignTable.stableId];
+  }
+
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON FOREIGN TABLE",
+      `${this.foreignTable.schema}.${this.foreignTable.name}`,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+
+export class DropSecurityLabelOnForeignTable extends DropForeignTableChange {
+  public readonly foreignTable: ForeignTable;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+
+  constructor(props: {
+    foreignTable: ForeignTable;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.foreignTable = props.foreignTable;
+    this.securityLabel = props.securityLabel;
+  }
+
+  get drops() {
+    return [
+      stableId.securityLabel(
+        this.foreignTable.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+
+  get requires() {
+    return [
+      stableId.securityLabel(
+        this.foreignTable.stableId,
+        this.securityLabel.provider,
+      ),
+      this.foreignTable.stableId,
+    ];
+  }
+
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON FOREIGN TABLE",
+      `${this.foreignTable.schema}.${this.foreignTable.name}`,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/foreign-data-wrapper/foreign-table/changes/foreign-table.types.ts

@@ -3,6 +3,7 @@ import type { CommentForeignTable } from "./foreign-table.comment.ts";
 import type { CreateForeignTable } from "./foreign-table.create.ts";
 import type { DropForeignTable } from "./foreign-table.drop.ts";
 import type { ForeignTablePrivilege } from "./foreign-table.privilege.ts";
+import type { SecurityLabelForeignTable } from "./foreign-table.security-label.ts";
 
 /** Union of all foreign-table-related change variants (`objectType: "foreign_table"`). @category Change Types */
 export type ForeignTableChange =
@@ -10,4 +11,5 @@ export type ForeignTableChange =
   | CommentForeignTable
   | CreateForeignTable
   | DropForeignTable
-  | ForeignTablePrivilege;
+  | ForeignTablePrivilege
+  | SecurityLabelForeignTable;

package/src/core/objects/foreign-data-wrapper/foreign-table/foreign-table.diff.ts

@@ -5,6 +5,7 @@ import {
   filterPublicBuiltInDefaults,
 } from "../../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../../diff-context.ts";
+import { diffSecurityLabels } from "../../security-label.types.ts";
 import {
   AlterForeignTableAddColumn,
   AlterForeignTableAlterColumnDropDefault,
@@ -27,6 +28,10 @@ import {
   RevokeForeignTablePrivileges,
   RevokeGrantOptionForeignTablePrivileges,
 } from "./changes/foreign-table.privilege.ts";
+import {
+  CreateSecurityLabelOnForeignTable,
+  DropSecurityLabelOnForeignTable,
+} from "./changes/foreign-table.security-label.ts";
 import type { ForeignTableChange } from "./changes/foreign-table.types.ts";
 import type { ForeignTable } from "./foreign-table.model.ts";
 
@@ -70,6 +75,14 @@ export function diffForeignTables(
         new CreateCommentOnForeignTable({ foreignTable: createdTable }),
       );
     }
+    for (const label of createdTable.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnForeignTable({
+          foreignTable: createdTable,
+          securityLabel: label,
+        }),
+      );
+    }
 
     // PRIVILEGES: For created objects, compare against default privileges state
     const effectiveDefaults = ctx.defaultPrivilegeState.getEffectiveDefaults(
@@ -249,6 +262,26 @@ export function diffForeignTables(
       }
     }
 
+    // SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnForeignTable | DropSecurityLabelOnForeignTable
+      >(
+        mainTable.security_labels,
+        branchTable.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnForeignTable({
+            foreignTable: branchTable,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnForeignTable({
+            foreignTable: mainTable,
+            securityLabel,
+          }),
+      ),
+    );
+
     // PRIVILEGES
     const mainPrivilegesFiltered = filterPublicBuiltInDefaults(
       "foreign_table",

package/src/core/objects/foreign-data-wrapper/foreign-table/foreign-table.model.ts

@@ -10,6 +10,11 @@ import {
   type PrivilegeProps,
   privilegePropsSchema,
 } from "../../base.privilege-diff.ts";
+import {
+  normalizeSecurityLabels,
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../../security-label.types.ts";
 
 /**
  * All properties exposed by CREATE FOREIGN TABLE statement are included in diff output.
@@ -30,6 +35,7 @@ const foreignTablePropsSchema = z.object({
   comment: z.string().nullable(),
   columns: z.array(columnPropsSchema),
   privileges: z.array(privilegePropsSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 
 type ForeignTablePrivilegeProps = PrivilegeProps;
@@ -44,6 +50,7 @@ export class ForeignTable extends BasePgModel implements TableLikeObject {
   public readonly comment: ForeignTableProps["comment"];
   public readonly columns: ForeignTableProps["columns"];
   public readonly privileges: ForeignTablePrivilegeProps[];
+  public readonly security_labels: SecurityLabelProps[];
 
   constructor(props: ForeignTableProps) {
     super();
@@ -59,6 +66,7 @@ export class ForeignTable extends BasePgModel implements TableLikeObject {
     this.comment = props.comment;
     this.columns = props.columns;
     this.privileges = props.privileges;
+    this.security_labels = props.security_labels ?? [];
   }
 
   get stableId(): `foreignTable:${string}` {
@@ -80,6 +88,7 @@ export class ForeignTable extends BasePgModel implements TableLikeObject {
       comment: this.comment,
       columns: this.columns,
       privileges: this.privileges,
+      security_labels: this.security_labels,
     };
   }
 
@@ -104,6 +113,7 @@ export class ForeignTable extends BasePgModel implements TableLikeObject {
       data: {
         ...this.dataFields,
         columns: normalizeColumns(),
+        security_labels: normalizeSecurityLabels(this.security_labels),
       },
     };
   }
@@ -209,7 +219,20 @@ export async function extractForeignTables(
             join lateral aclexplode(src.acl) as x(grantor, grantee, privilege_type, is_grantable) on true
             group by x.grantee, x.privilege_type
           ) as grp
-        ), '[]') as privileges
+        ), '[]') as privileges,
+        coalesce(
+          (
+            select json_agg(
+              json_build_object('provider', sl.provider, 'label', sl.label)
+              order by sl.provider
+            )
+            from pg_catalog.pg_seclabel sl
+            where sl.objoid = ft.oid
+              and sl.classoid = 'pg_class'::regclass
+              and sl.objsubid = 0
+          ),
+          '[]'::json
+        ) as security_labels
       from
         foreign_tables ft
         left join pg_attribute a on a.attrelid = ft.oid and a.attnum > 0 and not a.attisdropped

package/src/core/objects/materialized-view/changes/materialized-view.base.ts

@@ -3,7 +3,11 @@ import type { MaterializedView } from "../materialized-view.model.ts";
 
 abstract class BaseMaterializedViewChange extends BaseChange {
   abstract readonly materializedView: MaterializedView;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "materialized_view" = "materialized_view";
 }
 

package/src/core/objects/materialized-view/changes/materialized-view.security-label.test.ts

@@ -0,0 +1,63 @@
+import { describe, expect, test } from "bun:test";
+import { assertValidSql } from "../../../test-utils/assert-valid-sql.ts";
+import { stableId } from "../../utils.ts";
+import {
+  MaterializedView,
+  type MaterializedViewProps,
+} from "../materialized-view.model.ts";
+import {
+  CreateSecurityLabelOnMaterializedView,
+  DropSecurityLabelOnMaterializedView,
+} from "./materialized-view.security-label.ts";
+
+const makeMV = (): MaterializedView =>
+  new MaterializedView({
+    schema: "public",
+    name: "mv",
+    definition: "SELECT 1",
+    row_security: false,
+    force_row_security: false,
+    has_indexes: false,
+    has_rules: false,
+    has_triggers: false,
+    has_subclasses: false,
+    is_populated: true,
+    replica_identity: "d",
+    is_partition: false,
+    options: null,
+    partition_bound: null,
+    owner: "postgres",
+    comment: null,
+    columns: [],
+    privileges: [],
+  } as MaterializedViewProps);
+
+describe("materialized-view.security-label", () => {
+  test("create serializes", async () => {
+    const mv = makeMV();
+    const change = new CreateSecurityLabelOnMaterializedView({
+      materializedView: mv,
+      securityLabel: { provider: "dummy", label: "classified" },
+    });
+    expect(change.scope).toBe("security_label");
+    expect(change.creates).toEqual([
+      stableId.securityLabel(mv.stableId, "dummy"),
+    ]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR dummy ON MATERIALIZED VIEW public.mv IS 'classified'",
+    );
+  });
+
+  test("drop serializes to IS NULL", async () => {
+    const mv = makeMV();
+    const change = new DropSecurityLabelOnMaterializedView({
+      materializedView: mv,
+      securityLabel: { provider: "dummy", label: "x" },
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR dummy ON MATERIALIZED VIEW public.mv IS NULL",
+    );
+  });
+});