npm - @supabase/pg-delta - Versions diffs - 1.0.0-alpha.22 → 1.0.0-alpha.24 - Mend

@supabase/pg-delta 1.0.0-alpha.22 → 1.0.0-alpha.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (228) hide show

package/src/core/objects/procedure/procedure.model.ts CHANGED Viewed

@@ -10,6 +10,10 @@ import {
   type ExtractRetryOptions,
   extractWithDefinitionRetry,
 } from "../extract-with-retry.ts";
+import {
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 const FunctionKindSchema = z.enum([
   "f", // function
@@ -68,6 +72,7 @@ const procedurePropsSchema = z.object({
   owner: z.string(),
   comment: z.string().nullable(),
   privileges: z.array(privilegePropsSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 // pg_get_functiondef(oid) can return NULL when the function (its pg_proc
@@ -112,6 +117,7 @@ export class Procedure extends BasePgModel {
   public readonly owner: ProcedureProps["owner"];
   public readonly comment: ProcedureProps["comment"];
   public readonly privileges: ProcedurePrivilegeProps[];
+  public readonly security_labels: SecurityLabelProps[];
   constructor(props: ProcedureProps) {
     super();
@@ -148,6 +154,7 @@ export class Procedure extends BasePgModel {
     this.owner = props.owner;
     this.comment = props.comment;
     this.privileges = props.privileges;
+    this.security_labels = props.security_labels ?? [];
   }
   get stableId(): `procedure:${string}` {
@@ -192,6 +199,7 @@ export class Procedure extends BasePgModel {
       owner: this.owner,
       comment: this.comment,
       privileges: this.privileges,
+      security_labels: this.security_labels,
     };
   }
 }
@@ -265,7 +273,20 @@ select
       )
       from lateral aclexplode(COALESCE(p.proacl, acldefault('f', p.proowner))) as x(grantor, grantee, privilege_type, is_grantable)
     ), '[]'
-  ) as privileges
+  ) as privileges,
+  coalesce(
+    (
+      select json_agg(
+        json_build_object('provider', sl.provider, 'label', sl.label)
+        order by sl.provider
+      )
+      from pg_catalog.pg_seclabel sl
+      where sl.objoid = p.oid
+        and sl.classoid = 'pg_proc'::regclass
+        and sl.objsubid = 0
+    ),
+    '[]'::json
+  ) as security_labels
 from
   pg_catalog.pg_proc p
   inner join pg_catalog.pg_language l on l.oid = p.prolang
@@ -283,5 +304,5 @@ order by
   const validatedRows = procedureRows.filter(
     (row): row is ProcedureProps => row.definition !== null,
   );
-  return validatedRows.map((row: ProcedureProps) => new Procedure(row));
+  return validatedRows.map((row) => new Procedure(row));
 }

package/src/core/objects/publication/changes/publication.base.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import type { Publication } from "../publication.model.ts";
 abstract class BasePublicationChange extends BaseChange {
   abstract readonly publication: Publication;
-  abstract readonly scope: "object" | "comment";
+  abstract readonly scope: "object" | "comment" | "security_label";
   readonly objectType = "publication" as const;
 }

package/src/core/objects/publication/changes/publication.security-label.ts ADDED Viewed

@@ -0,0 +1,95 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { Publication } from "../publication.model.ts";
+import {
+  CreatePublicationChange,
+  DropPublicationChange,
+} from "./publication.base.ts";
+export type SecurityLabelPublication =
+  | CreateSecurityLabelOnPublication
+  | DropSecurityLabelOnPublication;
+export class CreateSecurityLabelOnPublication extends CreatePublicationChange {
+  public readonly publication: Publication;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: {
+    publication: Publication;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.publication = props.publication;
+    this.securityLabel = props.securityLabel;
+  }
+  get creates() {
+    return [
+      stableId.securityLabel(
+        this.publication.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+  get requires() {
+    return [this.publication.stableId];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON PUBLICATION",
+      this.publication.name,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+export class DropSecurityLabelOnPublication extends DropPublicationChange {
+  public readonly publication: Publication;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: {
+    publication: Publication;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.publication = props.publication;
+    this.securityLabel = props.securityLabel;
+  }
+  get drops() {
+    return [
+      stableId.securityLabel(
+        this.publication.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+  get requires() {
+    return [
+      stableId.securityLabel(
+        this.publication.stableId,
+        this.securityLabel.provider,
+      ),
+      this.publication.stableId,
+    ];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON PUBLICATION",
+      this.publication.name,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/publication/changes/publication.types.ts CHANGED Viewed

@@ -10,6 +10,7 @@ import type {
 import type { CommentPublication } from "./publication.comment.ts";
 import type { CreatePublication } from "./publication.create.ts";
 import type { DropPublication } from "./publication.drop.ts";
+import type { SecurityLabelPublication } from "./publication.security-label.ts";
 /** Union of all publication-related change variants (`objectType: "publication"`). @category Change Types */
 export type PublicationChange =
@@ -22,4 +23,5 @@ export type PublicationChange =
   | AlterPublicationSetOwner
   | CommentPublication
   | CreatePublication
-  | DropPublication;
+  | DropPublication
+  | SecurityLabelPublication;

package/src/core/objects/publication/publication.diff.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { diffObjects } from "../base.diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { deepEqual } from "../utils.ts";
 import {
   AlterPublicationAddSchemas,
@@ -15,6 +16,10 @@ import {
 } from "./changes/publication.comment.ts";
 import { CreatePublication } from "./changes/publication.create.ts";
 import { DropPublication } from "./changes/publication.drop.ts";
+import {
+  CreateSecurityLabelOnPublication,
+  DropSecurityLabelOnPublication,
+} from "./changes/publication.security-label.ts";
 import type { PublicationChange } from "./changes/publication.types.ts";
 import type {
   Publication,
@@ -47,6 +52,14 @@ export function diffPublications(
     if (publication.comment !== null) {
       changes.push(new CreateCommentOnPublication({ publication }));
     }
+    for (const label of publication.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnPublication({
+          publication,
+          securityLabel: label,
+        }),
+      );
+    }
   }
   for (const id of dropped) {
@@ -172,6 +185,26 @@ export function diffPublications(
         );
       }
     }
+    // SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnPublication | DropSecurityLabelOnPublication
+      >(
+        mainPublication.security_labels,
+        branchPublication.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnPublication({
+            publication: branchPublication,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnPublication({
+            publication: mainPublication,
+            securityLabel,
+          }),
+      ),
+    );
   }
   return changes;

package/src/core/objects/publication/publication.model.ts CHANGED Viewed

@@ -2,6 +2,11 @@ import { sql } from "@ts-safeql/sql-tag";
 import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel } from "../base.model.ts";
+import {
+  normalizeSecurityLabels,
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 const publicationTablePropsSchema = z.object({
   schema: z.string(),
@@ -22,6 +27,7 @@ const publicationPropsSchema = z.object({
   publish_via_partition_root: z.boolean(),
   tables: z.array(publicationTablePropsSchema),
   schemas: z.array(z.string()),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 export type PublicationTableProps = z.infer<typeof publicationTablePropsSchema>;
@@ -44,6 +50,7 @@ export class Publication extends BasePgModel {
   public readonly publish_via_partition_root: PublicationProps["publish_via_partition_root"];
   public readonly tables: PublicationTableProps[];
   public readonly schemas: PublicationProps["schemas"];
+  public readonly security_labels: SecurityLabelProps[];
   constructor(props: PublicationProps) {
     super();
@@ -72,6 +79,7 @@ export class Publication extends BasePgModel {
     });
     this.schemas = [...props.schemas].sort((a, b) => a.localeCompare(b));
+    this.security_labels = props.security_labels ?? [];
   }
   get stableId(): `publication:${string}` {
@@ -96,6 +104,7 @@ export class Publication extends BasePgModel {
       publish_via_partition_root: this.publish_via_partition_root,
       tables: this.tables,
       schemas: this.schemas,
+      security_labels: this.security_labels,
     };
   }
@@ -118,6 +127,7 @@ export class Publication extends BasePgModel {
             a.schema.localeCompare(b.schema) || a.name.localeCompare(b.name),
         ),
         schemas: [...this.schemas].sort((a, b) => a.localeCompare(b)),
+        security_labels: normalizeSecurityLabels(this.security_labels),
       },
     };
   }
@@ -194,7 +204,20 @@ export async function extractPublications(pool: Pool): Promise<Publication[]> {
             where s.pnpubid = p.oid
           ),
           '[]'::json
-        ) as schemas
+        ) as schemas,
+        coalesce(
+          (
+            select json_agg(
+              json_build_object('provider', sl.provider, 'label', sl.label)
+              order by sl.provider
+            )
+            from pg_catalog.pg_seclabel sl
+            where sl.objoid = p.oid
+              and sl.classoid = 'pg_publication'::regclass
+              and sl.objsubid = 0
+          ),
+          '[]'::json
+        ) as security_labels
       from pg_publication p
       left join extension_oids e on e.objid = p.oid
       where e.objid is null

package/src/core/objects/role/changes/role.base.ts CHANGED Viewed

@@ -7,7 +7,8 @@ abstract class BaseRoleChange extends BaseChange {
     | "object"
     | "comment"
     | "membership"
-    | "default_privilege";
+    | "default_privilege"
+    | "security_label";
   readonly objectType: "role" = "role";
 }

package/src/core/objects/role/changes/role.security-label.ts ADDED Viewed

@@ -0,0 +1,77 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { Role } from "../role.model.ts";
+import { CreateRoleChange, DropRoleChange } from "./role.base.ts";
+export type SecurityLabelRole =
+  | CreateSecurityLabelOnRole
+  | DropSecurityLabelOnRole;
+export class CreateSecurityLabelOnRole extends CreateRoleChange {
+  public readonly role: Role;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: { role: Role; securityLabel: SecurityLabelProps }) {
+    super();
+    this.role = props.role;
+    this.securityLabel = props.securityLabel;
+  }
+  get creates() {
+    return [
+      stableId.securityLabel(this.role.stableId, this.securityLabel.provider),
+    ];
+  }
+  get requires() {
+    return [this.role.stableId];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON ROLE",
+      this.role.name,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+export class DropSecurityLabelOnRole extends DropRoleChange {
+  public readonly role: Role;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: { role: Role; securityLabel: SecurityLabelProps }) {
+    super();
+    this.role = props.role;
+    this.securityLabel = props.securityLabel;
+  }
+  get drops() {
+    return [
+      stableId.securityLabel(this.role.stableId, this.securityLabel.provider),
+    ];
+  }
+  get requires() {
+    return [
+      stableId.securityLabel(this.role.stableId, this.securityLabel.provider),
+      this.role.stableId,
+    ];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON ROLE",
+      this.role.name,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/role/changes/role.types.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import type { CommentRole } from "./role.comment.ts";
 import type { CreateRole } from "./role.create.ts";
 import type { DropRole } from "./role.drop.ts";
 import type { RolePrivilege } from "./role.privilege.ts";
+import type { SecurityLabelRole } from "./role.security-label.ts";
 /** Union of all role-related change variants (`objectType: "role"`). @category Change Types */
 export type RoleChange =
@@ -10,4 +11,5 @@ export type RoleChange =
   | CommentRole
   | CreateRole
   | DropRole
-  | RolePrivilege;
+  | RolePrivilege
+  | SecurityLabelRole;

package/src/core/objects/role/role.diff.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import { diffObjects } from "../base.diff.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import {
   AlterRoleSetConfig,
   AlterRoleSetOptions,
@@ -16,6 +17,10 @@ import {
   RevokeRoleMembership,
   RevokeRoleMembershipOptions,
 } from "./changes/role.privilege.ts";
+import {
+  CreateSecurityLabelOnRole,
+  DropSecurityLabelOnRole,
+} from "./changes/role.security-label.ts";
 import type { RoleChange } from "./changes/role.types.ts";
 import type { Role } from "./role.model.ts";
@@ -51,6 +56,14 @@ export function diffRoles(
     if (role.comment !== null) {
       changes.push(new CreateCommentOnRole({ role }));
     }
+    for (const label of role.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnRole({
+          role,
+          securityLabel: label,
+        }),
+      );
+    }
     // MEMBERSHIPS: Grant memberships immediately after role creation.
     // Members are already deduplicated by the Role model constructor.
     for (const membership of role.members) {
@@ -215,6 +228,26 @@ export function diffRoles(
       }
     }
+    // SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnRole | DropSecurityLabelOnRole
+      >(
+        mainRole.security_labels,
+        branchRole.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnRole({
+            role: branchRole,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnRole({
+            role: mainRole,
+            securityLabel,
+          }),
+      ),
+    );
     // MEMBERSHIPS
     // Members are already deduplicated by the Role model constructor.
     const mainMembers = new Map(mainRole.members.map((m) => [m.member, m]));

package/src/core/objects/role/role.model.ts CHANGED Viewed

@@ -2,6 +2,10 @@ import { sql } from "@ts-safeql/sql-tag";
 import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel } from "../base.model.ts";
+import {
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 const membershipInfoSchema = z.object({
   member: z.string(),
@@ -35,6 +39,7 @@ const rolePropsSchema = z.object({
   comment: z.string().nullable(),
   members: z.array(membershipInfoSchema),
   default_privileges: z.array(defaultPrivilegeSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 export type RoleProps = z.infer<typeof rolePropsSchema>;
@@ -53,6 +58,7 @@ export class Role extends BasePgModel {
   public readonly comment: RoleProps["comment"];
   public readonly members: RoleProps["members"];
   public readonly default_privileges: RoleProps["default_privileges"];
+  public readonly security_labels: SecurityLabelProps[];
   constructor(props: RoleProps) {
     super();
@@ -73,6 +79,7 @@ export class Role extends BasePgModel {
     this.comment = props.comment;
     this.members = deduplicateMembers(props.members);
     this.default_privileges = props.default_privileges;
+    this.security_labels = props.security_labels ?? [];
   }
   get stableId(): `role:${string}` {
@@ -129,6 +136,7 @@ export class Role extends BasePgModel {
       comment: this.comment,
       members: sortedMembers,
       default_privileges: sortedDefaultPrivs,
+      security_labels: this.security_labels,
     };
   }
 }
@@ -232,6 +240,18 @@ export async function extractRoles(pool: Pool): Promise<Role[]> {
             r.rolbypassrls  AS can_bypass_rls,
             r.rolconfig     AS config,
             obj_description(r.oid, 'pg_authid') AS comment,
+            COALESCE(
+              (
+                SELECT json_agg(
+                  json_build_object('provider', sl.provider, 'label', sl.label)
+                  ORDER BY sl.provider
+                )
+                FROM pg_catalog.pg_shseclabel sl
+                WHERE sl.objoid = r.oid
+                  AND sl.classoid = 'pg_authid'::regclass
+              ),
+              '[]'::json
+            ) AS security_labels,
             COALESCE(rm.members, '[]') AS members,
             COALESCE(
               (
@@ -353,6 +373,18 @@ export async function extractRoles(pool: Pool): Promise<Role[]> {
             r.rolbypassrls   AS can_bypass_rls,
             r.rolconfig      AS config,
             obj_description(r.oid, 'pg_authid') AS comment,
+            COALESCE(
+              (
+                SELECT json_agg(
+                  json_build_object('provider', sl.provider, 'label', sl.label)
+                  ORDER BY sl.provider
+                )
+                FROM pg_catalog.pg_shseclabel sl
+                WHERE sl.objoid = r.oid
+                  AND sl.classoid = 'pg_authid'::regclass
+              ),
+              '[]'::json
+            ) AS security_labels,
             COALESCE(rm.members, '[]') AS members,
             COALESCE(
               (

package/src/core/objects/schema/changes/schema.alter.test.ts CHANGED Viewed

@@ -10,6 +10,7 @@ describe.concurrent("schema", () => {
         name: "test_schema",
         comment: null,
         privileges: [],
+        security_labels: [],
       };
       const schemaObj = new Schema({
         ...props,

package/src/core/objects/schema/changes/schema.base.ts CHANGED Viewed

@@ -3,7 +3,11 @@ import type { Schema } from "../schema.model.ts";
 abstract class BaseSchemaChange extends BaseChange {
   abstract readonly schema: Schema;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "schema" = "schema";
 }

package/src/core/objects/schema/changes/schema.create.test.ts CHANGED Viewed

@@ -10,6 +10,7 @@ describe("schema", () => {
       owner: "test",
       comment: null,
       privileges: [],
+      security_labels: [],
     });
     const change = new CreateSchema({

package/src/core/objects/schema/changes/schema.drop.test.ts CHANGED Viewed

@@ -10,6 +10,7 @@ describe("schema", () => {
       owner: "test",
       comment: null,
       privileges: [],
+      security_labels: [],
     });
     const change = new DropSchema({

package/src/core/objects/schema/changes/schema.security-label.test.ts ADDED Viewed

@@ -0,0 +1,76 @@
+import { describe, expect, test } from "bun:test";
+import { assertValidSql } from "../../../test-utils/assert-valid-sql.ts";
+import { stableId } from "../../utils.ts";
+import { Schema } from "../schema.model.ts";
+import {
+  CreateSecurityLabelOnSchema,
+  DropSecurityLabelOnSchema,
+} from "./schema.security-label.ts";
+const makeSchema = () =>
+  new Schema({
+    name: "app",
+    owner: "postgres",
+    comment: null,
+    privileges: [],
+    security_labels: [],
+  });
+describe("schema.security-label", () => {
+  test("create serializes and tracks dependencies", async () => {
+    const schema = makeSchema();
+    const change = new CreateSecurityLabelOnSchema({
+      schema,
+      securityLabel: {
+        provider: "pg_graphql",
+        label: '{"inflect_names":true}',
+      },
+    });
+    expect(change.scope).toBe("security_label");
+    expect(change.operation).toBe("create");
+    expect(change.objectType).toBe("schema");
+    expect(change.creates).toEqual([
+      stableId.securityLabel(schema.stableId, "pg_graphql"),
+    ]);
+    expect(change.requires).toEqual([schema.stableId]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      `SECURITY LABEL FOR pg_graphql ON SCHEMA app IS '{"inflect_names":true}'`,
+    );
+  });
+  test("drop serializes to IS NULL and tracks dependencies", async () => {
+    const schema = makeSchema();
+    const change = new DropSecurityLabelOnSchema({
+      schema,
+      securityLabel: { provider: "pg_graphql", label: "old" },
+    });
+    expect(change.scope).toBe("security_label");
+    expect(change.operation).toBe("drop");
+    expect(change.drops).toEqual([
+      stableId.securityLabel(schema.stableId, "pg_graphql"),
+    ]);
+    expect(change.requires).toEqual([
+      stableId.securityLabel(schema.stableId, "pg_graphql"),
+      schema.stableId,
+    ]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR pg_graphql ON SCHEMA app IS NULL",
+    );
+  });
+  test("create escapes single quotes in label", async () => {
+    const schema = makeSchema();
+    const change = new CreateSecurityLabelOnSchema({
+      schema,
+      securityLabel: { provider: "p", label: "it's a test" },
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR p ON SCHEMA app IS 'it''s a test'",
+    );
+  });
+});