npm - @supabase/pg-delta - Versions diffs - 1.0.0-alpha.22 → 1.0.0-alpha.24 - Mend

@supabase/pg-delta 1.0.0-alpha.22 → 1.0.0-alpha.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (228) hide show

package/src/core/objects/foreign-data-wrapper/foreign-table/foreign-table.diff.ts CHANGED Viewed

@@ -5,6 +5,7 @@ import {
   filterPublicBuiltInDefaults,
 } from "../../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../../diff-context.ts";
+import { diffSecurityLabels } from "../../security-label.types.ts";
 import {
   AlterForeignTableAddColumn,
   AlterForeignTableAlterColumnDropDefault,
@@ -27,6 +28,10 @@ import {
   RevokeForeignTablePrivileges,
   RevokeGrantOptionForeignTablePrivileges,
 } from "./changes/foreign-table.privilege.ts";
+import {
+  CreateSecurityLabelOnForeignTable,
+  DropSecurityLabelOnForeignTable,
+} from "./changes/foreign-table.security-label.ts";
 import type { ForeignTableChange } from "./changes/foreign-table.types.ts";
 import type { ForeignTable } from "./foreign-table.model.ts";
@@ -70,6 +75,14 @@ export function diffForeignTables(
         new CreateCommentOnForeignTable({ foreignTable: createdTable }),
       );
     }
+    for (const label of createdTable.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnForeignTable({
+          foreignTable: createdTable,
+          securityLabel: label,
+        }),
+      );
+    }
     // PRIVILEGES: For created objects, compare against default privileges state
     const effectiveDefaults = ctx.defaultPrivilegeState.getEffectiveDefaults(
@@ -249,6 +262,26 @@ export function diffForeignTables(
       }
     }
+    // SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnForeignTable | DropSecurityLabelOnForeignTable
+      >(
+        mainTable.security_labels,
+        branchTable.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnForeignTable({
+            foreignTable: branchTable,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnForeignTable({
+            foreignTable: mainTable,
+            securityLabel,
+          }),
+      ),
+    );
     // PRIVILEGES
     const mainPrivilegesFiltered = filterPublicBuiltInDefaults(
       "foreign_table",

package/src/core/objects/foreign-data-wrapper/foreign-table/foreign-table.model.ts CHANGED Viewed

@@ -10,6 +10,11 @@ import {
   type PrivilegeProps,
   privilegePropsSchema,
 } from "../../base.privilege-diff.ts";
+import {
+  normalizeSecurityLabels,
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../../security-label.types.ts";
 /**
  * All properties exposed by CREATE FOREIGN TABLE statement are included in diff output.
@@ -30,6 +35,7 @@ const foreignTablePropsSchema = z.object({
   comment: z.string().nullable(),
   columns: z.array(columnPropsSchema),
   privileges: z.array(privilegePropsSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 type ForeignTablePrivilegeProps = PrivilegeProps;
@@ -44,6 +50,7 @@ export class ForeignTable extends BasePgModel implements TableLikeObject {
   public readonly comment: ForeignTableProps["comment"];
   public readonly columns: ForeignTableProps["columns"];
   public readonly privileges: ForeignTablePrivilegeProps[];
+  public readonly security_labels: SecurityLabelProps[];
   constructor(props: ForeignTableProps) {
     super();
@@ -59,6 +66,7 @@ export class ForeignTable extends BasePgModel implements TableLikeObject {
     this.comment = props.comment;
     this.columns = props.columns;
     this.privileges = props.privileges;
+    this.security_labels = props.security_labels ?? [];
   }
   get stableId(): `foreignTable:${string}` {
@@ -80,6 +88,7 @@ export class ForeignTable extends BasePgModel implements TableLikeObject {
       comment: this.comment,
       columns: this.columns,
       privileges: this.privileges,
+      security_labels: this.security_labels,
     };
   }
@@ -104,6 +113,7 @@ export class ForeignTable extends BasePgModel implements TableLikeObject {
       data: {
         ...this.dataFields,
         columns: normalizeColumns(),
+        security_labels: normalizeSecurityLabels(this.security_labels),
       },
     };
   }
@@ -209,7 +219,20 @@ export async function extractForeignTables(
             join lateral aclexplode(src.acl) as x(grantor, grantee, privilege_type, is_grantable) on true
             group by x.grantee, x.privilege_type
           ) as grp
-        ), '[]') as privileges
+        ), '[]') as privileges,
+        coalesce(
+          (
+            select json_agg(
+              json_build_object('provider', sl.provider, 'label', sl.label)
+              order by sl.provider
+            )
+            from pg_catalog.pg_seclabel sl
+            where sl.objoid = ft.oid
+              and sl.classoid = 'pg_class'::regclass
+              and sl.objsubid = 0
+          ),
+          '[]'::json
+        ) as security_labels
       from
         foreign_tables ft
         left join pg_attribute a on a.attrelid = ft.oid and a.attnum > 0 and not a.attisdropped

package/src/core/objects/materialized-view/changes/materialized-view.base.ts CHANGED Viewed

@@ -3,7 +3,11 @@ import type { MaterializedView } from "../materialized-view.model.ts";
 abstract class BaseMaterializedViewChange extends BaseChange {
   abstract readonly materializedView: MaterializedView;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "materialized_view" = "materialized_view";
 }

package/src/core/objects/materialized-view/changes/materialized-view.security-label.test.ts ADDED Viewed

@@ -0,0 +1,63 @@
+import { describe, expect, test } from "bun:test";
+import { assertValidSql } from "../../../test-utils/assert-valid-sql.ts";
+import { stableId } from "../../utils.ts";
+import {
+  MaterializedView,
+  type MaterializedViewProps,
+} from "../materialized-view.model.ts";
+import {
+  CreateSecurityLabelOnMaterializedView,
+  DropSecurityLabelOnMaterializedView,
+} from "./materialized-view.security-label.ts";
+const makeMV = (): MaterializedView =>
+  new MaterializedView({
+    schema: "public",
+    name: "mv",
+    definition: "SELECT 1",
+    row_security: false,
+    force_row_security: false,
+    has_indexes: false,
+    has_rules: false,
+    has_triggers: false,
+    has_subclasses: false,
+    is_populated: true,
+    replica_identity: "d",
+    is_partition: false,
+    options: null,
+    partition_bound: null,
+    owner: "postgres",
+    comment: null,
+    columns: [],
+    privileges: [],
+  } as MaterializedViewProps);
+describe("materialized-view.security-label", () => {
+  test("create serializes", async () => {
+    const mv = makeMV();
+    const change = new CreateSecurityLabelOnMaterializedView({
+      materializedView: mv,
+      securityLabel: { provider: "dummy", label: "classified" },
+    });
+    expect(change.scope).toBe("security_label");
+    expect(change.creates).toEqual([
+      stableId.securityLabel(mv.stableId, "dummy"),
+    ]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR dummy ON MATERIALIZED VIEW public.mv IS 'classified'",
+    );
+  });
+  test("drop serializes to IS NULL", async () => {
+    const mv = makeMV();
+    const change = new DropSecurityLabelOnMaterializedView({
+      materializedView: mv,
+      securityLabel: { provider: "dummy", label: "x" },
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR dummy ON MATERIALIZED VIEW public.mv IS NULL",
+    );
+  });
+});

package/src/core/objects/materialized-view/changes/materialized-view.security-label.ts ADDED Viewed

@@ -0,0 +1,95 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { MaterializedView } from "../materialized-view.model.ts";
+import {
+  CreateMaterializedViewChange,
+  DropMaterializedViewChange,
+} from "./materialized-view.base.ts";
+export type SecurityLabelMaterializedView =
+  | CreateSecurityLabelOnMaterializedView
+  | DropSecurityLabelOnMaterializedView;
+export class CreateSecurityLabelOnMaterializedView extends CreateMaterializedViewChange {
+  public readonly materializedView: MaterializedView;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: {
+    materializedView: MaterializedView;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.materializedView = props.materializedView;
+    this.securityLabel = props.securityLabel;
+  }
+  get creates() {
+    return [
+      stableId.securityLabel(
+        this.materializedView.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+  get requires() {
+    return [this.materializedView.stableId];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON MATERIALIZED VIEW",
+      `${this.materializedView.schema}.${this.materializedView.name}`,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+export class DropSecurityLabelOnMaterializedView extends DropMaterializedViewChange {
+  public readonly materializedView: MaterializedView;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: {
+    materializedView: MaterializedView;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.materializedView = props.materializedView;
+    this.securityLabel = props.securityLabel;
+  }
+  get drops() {
+    return [
+      stableId.securityLabel(
+        this.materializedView.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+  get requires() {
+    return [
+      stableId.securityLabel(
+        this.materializedView.stableId,
+        this.securityLabel.provider,
+      ),
+      this.materializedView.stableId,
+    ];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON MATERIALIZED VIEW",
+      `${this.materializedView.schema}.${this.materializedView.name}`,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/materialized-view/changes/materialized-view.types.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import type { CommentMaterializedView } from "./materialized-view.comment.ts";
 import type { CreateMaterializedView } from "./materialized-view.create.ts";
 import type { DropMaterializedView } from "./materialized-view.drop.ts";
 import type { MaterializedViewPrivilege } from "./materialized-view.privilege.ts";
+import type { SecurityLabelMaterializedView } from "./materialized-view.security-label.ts";
 /** Union of all materialized-view-related change variants (`objectType: "materialized_view"`). @category Change Types */
 export type MaterializedViewChange =
@@ -10,4 +11,5 @@ export type MaterializedViewChange =
   | CommentMaterializedView
   | CreateMaterializedView
   | DropMaterializedView
-  | MaterializedViewPrivilege;
+  | MaterializedViewPrivilege
+  | SecurityLabelMaterializedView;

package/src/core/objects/materialized-view/materialized-view.diff.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import {
   emitColumnPrivilegeChanges,
 } from "../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { deepEqual, hasNonAlterableChanges } from "../utils.ts";
 import {
   AlterMaterializedViewChangeOwner,
@@ -22,6 +23,10 @@ import {
   RevokeGrantOptionMaterializedViewPrivileges,
   RevokeMaterializedViewPrivileges,
 } from "./changes/materialized-view.privilege.ts";
+import {
+  CreateSecurityLabelOnMaterializedView,
+  DropSecurityLabelOnMaterializedView,
+} from "./changes/materialized-view.security-label.ts";
 import type { MaterializedViewChange } from "./changes/materialized-view.types.ts";
 import type { MaterializedView } from "./materialized-view.model.ts";
@@ -88,6 +93,17 @@ export function diffMaterializedViews(
       }
     }
+    // Security labels on the matview itself (columns of matviews are not
+    // supported targets of SECURITY LABEL, so we only label the relation).
+    for (const label of mv.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnMaterializedView({
+          materializedView: mv,
+          securityLabel: label,
+        }),
+      );
+    }
     // PRIVILEGES: For created objects, compare against default privileges state
     // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
     // so objects are created with the default privileges state in effect.
@@ -241,6 +257,27 @@ export function diffMaterializedViews(
           );
         }
       }
+      // SECURITY LABELS
+      changes.push(
+        ...diffSecurityLabels<
+          | CreateSecurityLabelOnMaterializedView
+          | DropSecurityLabelOnMaterializedView
+        >(
+          mainMaterializedView.security_labels,
+          branchMaterializedView.security_labels,
+          (securityLabel) =>
+            new CreateSecurityLabelOnMaterializedView({
+              materializedView: branchMaterializedView,
+              securityLabel,
+            }),
+          (securityLabel) =>
+            new DropSecurityLabelOnMaterializedView({
+              materializedView: mainMaterializedView,
+              securityLabel,
+            }),
+        ),
+      );
       // COMMENT changes on columns
       const mainCols = new Map(
         mainMaterializedView.columns.map((c) => [c.name, c]),

package/src/core/objects/materialized-view/materialized-view.model.ts CHANGED Viewed

@@ -14,6 +14,11 @@ import {
   type ExtractRetryOptions,
   extractWithDefinitionRetry,
 } from "../extract-with-retry.ts";
+import {
+  normalizeSecurityLabels,
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 import { ReplicaIdentitySchema } from "../table/table.model.ts";
 const materializedViewPropsSchema = z.object({
@@ -35,6 +40,7 @@ const materializedViewPropsSchema = z.object({
   comment: z.string().nullable(),
   columns: z.array(columnPropsSchema),
   privileges: z.array(privilegePropsSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 // pg_get_viewdef(oid) can return NULL when the underlying matview (or its
@@ -68,6 +74,7 @@ export class MaterializedView extends BasePgModel implements TableLikeObject {
   public readonly comment: MaterializedViewProps["comment"];
   public readonly columns: MaterializedViewProps["columns"];
   public readonly privileges: MaterializedViewPrivilegeProps[];
+  public readonly security_labels: SecurityLabelProps[];
   constructor(props: MaterializedViewProps) {
     super();
@@ -93,6 +100,7 @@ export class MaterializedView extends BasePgModel implements TableLikeObject {
     this.comment = props.comment;
     this.columns = props.columns;
     this.privileges = props.privileges;
+    this.security_labels = props.security_labels ?? [];
   }
   get stableId(): `materializedView:${string}` {
@@ -124,6 +132,7 @@ export class MaterializedView extends BasePgModel implements TableLikeObject {
       comment: this.comment,
       columns: this.columns,
       privileges: this.privileges,
+      security_labels: this.security_labels,
     };
   }
@@ -148,6 +157,7 @@ export class MaterializedView extends BasePgModel implements TableLikeObject {
       data: {
         ...this.dataFields,
         columns: normalizeColumns(),
+        security_labels: normalizeSecurityLabels(this.security_labels),
       },
     };
   }
@@ -252,7 +262,20 @@ select
       join lateral aclexplode(src.acl) as x(grantor, grantee, privilege_type, is_grantable) on true
       group by x.grantee, x.privilege_type
     ) as grp
-  ), '[]') as privileges
+  ), '[]') as privileges,
+  coalesce(
+    (
+      select json_agg(
+        json_build_object('provider', sl.provider, 'label', sl.label)
+        order by sl.provider
+      )
+      from pg_catalog.pg_seclabel sl
+      where sl.objoid = c.oid
+        and sl.classoid = 'pg_class'::regclass
+        and sl.objsubid = 0
+    ),
+    '[]'::json
+  ) as security_labels
 from
   pg_catalog.pg_class c
   left outer join extension_oids e on c.oid = e.objid
@@ -275,7 +298,5 @@ order by
   const validatedRows = mvRows.filter(
     (row): row is MaterializedViewProps => row.definition !== null,
   );
-  return validatedRows.map(
-    (row: MaterializedViewProps) => new MaterializedView(row),
-  );
+  return validatedRows.map((row) => new MaterializedView(row));
 }

package/src/core/objects/procedure/changes/procedure.base.ts CHANGED Viewed

@@ -3,7 +3,11 @@ import type { Procedure } from "../procedure.model.ts";
 abstract class BaseProcedureChange extends BaseChange {
   abstract readonly procedure: Procedure;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "procedure" = "procedure";
 }

package/src/core/objects/procedure/changes/procedure.security-label.ts ADDED Viewed

@@ -0,0 +1,105 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { Procedure } from "../procedure.model.ts";
+import {
+  CreateProcedureChange,
+  DropProcedureChange,
+} from "./procedure.base.ts";
+export type SecurityLabelProcedure =
+  | CreateSecurityLabelOnProcedure
+  | DropSecurityLabelOnProcedure;
+function targetKeyword(p: Procedure): "FUNCTION" | "PROCEDURE" {
+  return p.kind === "p" ? "PROCEDURE" : "FUNCTION";
+}
+function procedureIdentity(p: Procedure): string {
+  return `${p.schema}.${p.name}(${(p.argument_types ?? []).join(",")})`;
+}
+export class CreateSecurityLabelOnProcedure extends CreateProcedureChange {
+  public readonly procedure: Procedure;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: {
+    procedure: Procedure;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.procedure = props.procedure;
+    this.securityLabel = props.securityLabel;
+  }
+  get creates() {
+    return [
+      stableId.securityLabel(
+        this.procedure.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+  get requires() {
+    return [this.procedure.stableId];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON",
+      targetKeyword(this.procedure),
+      procedureIdentity(this.procedure),
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+export class DropSecurityLabelOnProcedure extends DropProcedureChange {
+  public readonly procedure: Procedure;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: {
+    procedure: Procedure;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.procedure = props.procedure;
+    this.securityLabel = props.securityLabel;
+  }
+  get drops() {
+    return [
+      stableId.securityLabel(
+        this.procedure.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+  get requires() {
+    return [
+      stableId.securityLabel(
+        this.procedure.stableId,
+        this.securityLabel.provider,
+      ),
+      this.procedure.stableId,
+    ];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON",
+      targetKeyword(this.procedure),
+      procedureIdentity(this.procedure),
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/procedure/changes/procedure.types.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import type { CommentProcedure } from "./procedure.comment.ts";
 import type { CreateProcedure } from "./procedure.create.ts";
 import type { DropProcedure } from "./procedure.drop.ts";
 import type { ProcedurePrivilege } from "./procedure.privilege.ts";
+import type { SecurityLabelProcedure } from "./procedure.security-label.ts";
 /** Union of all procedure-related change variants (`objectType: "procedure"`). @category Change Types */
 export type ProcedureChange =
@@ -10,4 +11,5 @@ export type ProcedureChange =
   | CommentProcedure
   | CreateProcedure
   | DropProcedure
-  | ProcedurePrivilege;
+  | ProcedurePrivilege
+  | SecurityLabelProcedure;

package/src/core/objects/procedure/procedure.diff.ts CHANGED Viewed

@@ -5,6 +5,7 @@ import {
   filterPublicBuiltInDefaults,
 } from "../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { deepEqual, hasNonAlterableChanges } from "../utils.ts";
 import {
   AlterProcedureChangeOwner,
@@ -26,6 +27,10 @@ import {
   RevokeGrantOptionProcedurePrivileges,
   RevokeProcedurePrivileges,
 } from "./changes/procedure.privilege.ts";
+import {
+  CreateSecurityLabelOnProcedure,
+  DropSecurityLabelOnProcedure,
+} from "./changes/procedure.security-label.ts";
 import type { ProcedureChange } from "./changes/procedure.types.ts";
 import type { Procedure } from "./procedure.model.ts";
@@ -66,6 +71,14 @@ export function diffProcedures(
     if (proc.comment !== null) {
       changes.push(new CreateCommentOnProcedure({ procedure: proc }));
     }
+    for (const label of proc.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnProcedure({
+          procedure: proc,
+          securityLabel: label,
+        }),
+      );
+    }
     // PRIVILEGES: For created objects, compare against default privileges state
     // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
@@ -225,6 +238,26 @@ export function diffProcedures(
         }
       }
+      // SECURITY LABELS
+      changes.push(
+        ...diffSecurityLabels<
+          CreateSecurityLabelOnProcedure | DropSecurityLabelOnProcedure
+        >(
+          mainProcedure.security_labels,
+          branchProcedure.security_labels,
+          (securityLabel) =>
+            new CreateSecurityLabelOnProcedure({
+              procedure: branchProcedure,
+              securityLabel,
+            }),
+          (securityLabel) =>
+            new DropSecurityLabelOnProcedure({
+              procedure: mainProcedure,
+              securityLabel,
+            }),
+        ),
+      );
       // SECURITY DEFINER/INVOKER
       if (mainProcedure.security_definer !== branchProcedure.security_definer) {
         changes.push(