npm - @supabase/pg-delta - Versions diffs - 1.0.0-alpha.24 → 1.0.0-alpha.25 - Mend

@supabase/pg-delta 1.0.0-alpha.24 → 1.0.0-alpha.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (58) hide show

package/dist/core/objects/foreign-data-wrapper/user-mapping/changes/user-mapping.alter.js CHANGED Viewed

@@ -1,4 +1,5 @@
 import { quoteLiteral } from "../../../base.change.js";
+import { redactOptionValue } from "../../sensitive-options.js";
 import { AlterUserMappingChange } from "./user-mapping.base.js";
 /**
  * ALTER USER MAPPING ... OPTIONS ( ADD | SET | DROP ... )
@@ -22,7 +23,9 @@ export class AlterUserMappingSetOptions extends AlterUserMappingChange {
                 optionParts.push(`DROP ${opt.option}`);
             }
             else {
-                const value = opt.value !== undefined ? quoteLiteral(opt.value) : "''";
+                const value = opt.value !== undefined
+                    ? quoteLiteral(redactOptionValue(opt.option, opt.value))
+                    : "''";
                 optionParts.push(`${opt.action} ${opt.option} ${value}`);
             }
         }

package/dist/core/objects/foreign-data-wrapper/user-mapping/changes/user-mapping.create.js CHANGED Viewed

@@ -1,5 +1,6 @@
 import { quoteLiteral } from "../../../base.change.js";
 import { stableId } from "../../../utils.js";
+import { redactOptionValue } from "../../sensitive-options.js";
 import { CreateUserMappingChange } from "./user-mapping.base.js";
 /**
  * Create a user mapping.
@@ -39,9 +40,11 @@ export class CreateUserMapping extends CreateUserMappingChange {
         if (this.userMapping.options && this.userMapping.options.length > 0) {
             const optionPairs = [];
             for (let i = 0; i < this.userMapping.options.length; i += 2) {
-                if (i + 1 < this.userMapping.options.length) {
-                    optionPairs.push(`${this.userMapping.options[i]} ${quoteLiteral(this.userMapping.options[i + 1])}`);
-                }
+                const key = this.userMapping.options[i];
+                const value = this.userMapping.options[i + 1];
+                if (key === undefined || value === undefined)
+                    continue;
+                optionPairs.push(`${key} ${quoteLiteral(redactOptionValue(key, value))}`);
             }
             if (optionPairs.length > 0) {
                 parts.push(`OPTIONS (${optionPairs.join(", ")})`);

package/dist/core/objects/foreign-data-wrapper/user-mapping/user-mapping.model.d.ts CHANGED Viewed

@@ -32,5 +32,15 @@ export declare class UserMapping extends BasePgModel {
         options: string[] | null;
     };
 }
+/**
+ * Extract `pg_user_mapping` rows into `UserMapping` models.
+ *
+ * The returned models carry option values **verbatim** from
+ * `pg_user_mapping.umoptions`, which means cleartext secrets like
+ * `password` are present in memory. Always route through
+ * `extractCatalog` (which calls `normalizeCatalog`) before emitting
+ * options to any output channel — see CLI-1467 and
+ * `packages/pg-delta/src/core/objects/foreign-data-wrapper/sensitive-options.ts`.
+ */
 export declare function extractUserMappings(pool: Pool): Promise<UserMapping[]>;
 export {};

package/dist/core/objects/foreign-data-wrapper/user-mapping/user-mapping.model.js CHANGED Viewed

@@ -44,6 +44,16 @@ export class UserMapping extends BasePgModel {
         };
     }
 }
+/**
+ * Extract `pg_user_mapping` rows into `UserMapping` models.
+ *
+ * The returned models carry option values **verbatim** from
+ * `pg_user_mapping.umoptions`, which means cleartext secrets like
+ * `password` are present in memory. Always route through
+ * `extractCatalog` (which calls `normalizeCatalog`) before emitting
+ * options to any output channel — see CLI-1467 and
+ * `packages/pg-delta/src/core/objects/foreign-data-wrapper/sensitive-options.ts`.
+ */
 export async function extractUserMappings(pool) {
     const { rows: mappingRows } = await pool.query(sql `
       select

package/dist/core/objects/rls-policy/rls-policy.model.d.ts CHANGED Viewed

@@ -3,9 +3,9 @@ import z from "zod";
 import { BasePgModel } from "../base.model.ts";
 declare const rlsPolicyReferencedRelationSchema: z.ZodObject<{
     kind: z.ZodEnum<{
+        table: "table";
         foreign_table: "foreign_table";
         materialized_view: "materialized_view";
-        table: "table";
         view: "view";
     }>;
     schema: z.ZodString;
@@ -37,9 +37,9 @@ declare const rlsPolicyPropsSchema: z.ZodObject<{
     comment: z.ZodNullable<z.ZodString>;
     referenced_relations: z.ZodArray<z.ZodObject<{
         kind: z.ZodEnum<{
+            table: "table";
             foreign_table: "foreign_table";
             materialized_view: "materialized_view";
-            table: "table";
             view: "view";
         }>;
         schema: z.ZodString;

package/dist/core/objects/table/table.model.js CHANGED Viewed

@@ -292,8 +292,13 @@ select
           'no_inherit', c.connoinherit,
           'is_temporal', coalesce((to_jsonb(c)->>'conperiod')::boolean, false),
-          -- NEW: propagated-to-partition tagging (PG15+)
-          'is_partition_clone', (c.conparentid <> 0::oid),
+          -- Inherited from a parent (partition or classical inheritance).
+          -- coninhcount > 0 is the canonical signal across every constraint
+          -- kind. We previously used conparentid <> 0, but PostgreSQL only
+          -- populates conparentid for PK / UNIQUE / FK on partitions; CHECK
+          -- constraints on partitions always have conparentid = 0 and were
+          -- being re-emitted on every child, failing apply with 42710.
+          'is_partition_clone', (c.coninhcount > 0),
           'parent_constraint_schema', case when c.conparentid <> 0::oid then pc.connamespace::regnamespace::text end,
           'parent_constraint_name',   case when c.conparentid <> 0::oid then quote_ident(pc.conname) end,
           'parent_table_schema',      case when c.conparentid <> 0::oid then pc_rel.relnamespace::regnamespace::text end,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@supabase/pg-delta",
-  "version": "1.0.0-alpha.24",
+  "version": "1.0.0-alpha.25",
   "description": "PostgreSQL migrations made easy",
   "type": "module",
   "sideEffects": false,

package/src/core/catalog.model.ts CHANGED Viewed

@@ -22,12 +22,13 @@ import {
 } from "./objects/extension/extension.model.ts";
 import {
   extractForeignDataWrappers,
-  type ForeignDataWrapper,
+  ForeignDataWrapper,
 } from "./objects/foreign-data-wrapper/foreign-data-wrapper/foreign-data-wrapper.model.ts";
 import {
   extractForeignTables,
-  type ForeignTable,
+  ForeignTable,
 } from "./objects/foreign-data-wrapper/foreign-table/foreign-table.model.ts";
+import { redactSensitiveOptionPairs } from "./objects/foreign-data-wrapper/sensitive-options.ts";
 import {
   extractServers,
   Server,
@@ -421,29 +422,56 @@ function listToRecord<T extends BasePgModel>(list: T[]) {
 }
 function normalizeCatalog(catalog: Catalog): Catalog {
+  const foreignDataWrappers = mapRecord(
+    catalog.foreignDataWrappers,
+    (fdw) =>
+      new ForeignDataWrapper({
+        name: fdw.name,
+        owner: fdw.owner,
+        handler: fdw.handler,
+        validator: fdw.validator,
+        options: redactSensitiveOptionPairs(fdw.options),
+        comment: fdw.comment,
+        privileges: fdw.privileges,
+      }),
+  );
   const servers = mapRecord(catalog.servers, (server) => {
-    const maskedOptions = maskOptions(server.options);
     return new Server({
       name: server.name,
       owner: server.owner,
       foreign_data_wrapper: server.foreign_data_wrapper,
       type: server.type,
       version: server.version,
-      options: maskedOptions,
+      options: redactSensitiveOptionPairs(server.options),
       comment: server.comment,
       privileges: server.privileges,
     });
   });
   const userMappings = mapRecord(catalog.userMappings, (mapping) => {
-    const maskedOptions = maskOptions(mapping.options);
     return new UserMapping({
       user: mapping.user,
       server: mapping.server,
-      options: maskedOptions,
+      options: redactSensitiveOptionPairs(mapping.options),
     });
   });
+  const foreignTables = mapRecord(
+    catalog.foreignTables,
+    (foreignTable) =>
+      new ForeignTable({
+        schema: foreignTable.schema,
+        name: foreignTable.name,
+        owner: foreignTable.owner,
+        server: foreignTable.server,
+        columns: foreignTable.columns,
+        options: redactSensitiveOptionPairs(foreignTable.options),
+        comment: foreignTable.comment,
+        privileges: foreignTable.privileges,
+      }),
+  );
   const subscriptions = mapRecord(catalog.subscriptions, (subscription) => {
     return new Subscription({
       name: subscription.name,
@@ -490,10 +518,10 @@ function normalizeCatalog(catalog: Catalog): Catalog {
     rules: catalog.rules,
     ranges: catalog.ranges,
     views: catalog.views,
-    foreignDataWrappers: catalog.foreignDataWrappers,
+    foreignDataWrappers,
     servers,
     userMappings,
-    foreignTables: catalog.foreignTables,
+    foreignTables,
     depends: catalog.depends,
     indexableObjects: catalog.indexableObjects,
     version: catalog.version,
@@ -501,18 +529,6 @@ function normalizeCatalog(catalog: Catalog): Catalog {
   });
 }
-function maskOptions(options: string[] | null): string[] | null {
-  if (!options || options.length === 0) return options;
-  const masked: string[] = [];
-  for (let i = 0; i < options.length; i += 2) {
-    const key = options[i];
-    const value = options[i + 1];
-    if (key === undefined || value === undefined) continue;
-    masked.push(key, `__OPTION_${key.toUpperCase()}__`);
-  }
-  return masked.length > 0 ? masked : null;
-}
 function mapRecord<TValue, TResult>(
   record: Record<string, TValue>,
   mapper: (value: TValue) => TResult,

package/src/core/integrations/supabase.test.ts ADDED Viewed

@@ -0,0 +1,198 @@
+import { describe, expect, test } from "bun:test";
+import type { Change } from "../change.types.ts";
+import { evaluatePattern } from "./filter/dsl.ts";
+import { supabase } from "./supabase.ts";
+if (!supabase.filter) {
+  throw new Error("supabase integration is missing a filter");
+}
+const filter = supabase.filter;
+/**
+ * Build a synthetic FDW change shaped like what `flattenChange` consumes.
+ * The change carries a `foreignDataWrapper` model whose `handler`/`validator`
+ * are schema-qualified function references (the form
+ * `extractForeignDataWrappers` produces).
+ */
+function fdwChange(
+  operation: "create" | "alter" | "drop",
+  fdw: {
+    name: string;
+    owner: string;
+    handler: string | null;
+    validator: string | null;
+  },
+): Change {
+  return {
+    objectType: "foreign_data_wrapper",
+    operation,
+    scope: "object",
+    foreignDataWrapper: fdw,
+    requires: [],
+    creates: [],
+    drops: [],
+  } as unknown as Change;
+}
+/**
+ * Synthetic FDW privilege change. The three concrete privilege classes
+ * (`GrantForeignDataWrapperPrivileges`, `RevokeForeignDataWrapperPrivileges`,
+ * `RevokeGrantOptionForeignDataWrapperPrivileges`) all extend
+ * `AlterForeignDataWrapperChange`, so their `operation` is `"alter"` in
+ * production. The filter rule we exercise here keys off `scope` only,
+ * but pinning `operation: "alter"` keeps the synthetic shape honest.
+ */
+function fdwPrivilegeChange(fdw: { name: string; owner: string }): Change {
+  return {
+    objectType: "foreign_data_wrapper",
+    operation: "alter",
+    scope: "privilege",
+    foreignDataWrapper: { ...fdw, handler: null, validator: null },
+    grantee: "postgres",
+    requires: [],
+    creates: [],
+    drops: [],
+  } as unknown as Change;
+}
+function serverPrivilegeChange(server: {
+  name: string;
+  owner: string;
+}): Change {
+  return {
+    objectType: "server",
+    operation: "alter",
+    scope: "privilege",
+    server,
+    grantee: "postgres",
+    requires: [],
+    creates: [],
+    drops: [],
+  } as unknown as Change;
+}
+describe("supabase integration filter — foreign data wrappers", () => {
+  // Regression for CLI-1470. Wasm-based foreign data wrappers on Supabase
+  // (e.g. `clerk`, `clerk_oauth`) are provisioned at project creation by
+  // `supabase_admin` and their handler/validator live in `extensions.*`.
+  // pg-delta must not emit `CREATE/DROP/ALTER FOREIGN DATA WRAPPER` for
+  // them, even when the FDW owner has been rewritten away from
+  // `supabase_admin` (e.g. after a dump/restore).
+  test("suppresses CREATE for FDW with handler in extensions schema", () => {
+    const change = fdwChange("create", {
+      name: "clerk",
+      owner: "postgres",
+      handler: "extensions.wasm_fdw_handler",
+      validator: "extensions.wasm_fdw_validator",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+  test("suppresses DROP for FDW with handler in extensions schema", () => {
+    const change = fdwChange("drop", {
+      name: "clerk_oauth",
+      owner: "postgres",
+      handler: "extensions.wasm_fdw_handler",
+      validator: "extensions.wasm_fdw_validator",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+  test("suppresses ALTER for FDW with handler in extensions schema", () => {
+    const change = fdwChange("alter", {
+      name: "clerk",
+      owner: "postgres",
+      handler: "extensions.wasm_fdw_handler",
+      validator: "extensions.wasm_fdw_validator",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+  test("suppresses FDW when only the validator lives in extensions", () => {
+    const change = fdwChange("create", {
+      name: "partial_wasm",
+      owner: "postgres",
+      handler: null,
+      validator: "extensions.wasm_fdw_validator",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+  test("preserves user FDW whose handler lives outside extensions", () => {
+    const change = fdwChange("create", {
+      name: "user_fdw",
+      owner: "postgres",
+      handler: "public.my_fdw_handler",
+      validator: "public.my_fdw_validator",
+    });
+    expect(evaluatePattern(filter, change)).toBe(true);
+  });
+  test("preserves user FDW with no handler/validator", () => {
+    const change = fdwChange("create", {
+      name: "user_fdw_bare",
+      owner: "postgres",
+      handler: null,
+      validator: null,
+    });
+    expect(evaluatePattern(filter, change)).toBe(true);
+  });
+});
+describe("supabase integration filter — foreign data wrapper / server ACLs", () => {
+  // Regression for CLI-1469. `GRANT`/`REVOKE ... ON FOREIGN DATA WRAPPER`
+  // require superuser. On Supabase Cloud `postgres` has the elevated
+  // rights to make them work; the local Docker image does not, so
+  // `supabase db reset` aborts with `permission denied for foreign-data
+  // wrapper`. FDW ACL is platform-managed, not user-declarative state —
+  // suppress regardless of owner because `pg_dump` rewrites OWNER TO
+  // away from `supabase_admin`.
+  test("suppresses FDW ACL when owner=supabase_admin (existing */owner rule)", () => {
+    const change = fdwPrivilegeChange({
+      name: "dblink_fdw",
+      owner: "supabase_admin",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+  test("suppresses FDW ACL when owner=postgres (post-restore)", () => {
+    const change = fdwPrivilegeChange({
+      name: "dblink_fdw",
+      owner: "postgres",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+  // FOREIGN SERVER ACL is owner-scoped, not blanket-suppressed:
+  // server GRANT/REVOKE does not require superuser, so a user-owned
+  // server's ACL must roundtrip. The pre-existing `*/owner` rule
+  // already drops platform-managed servers (owner ∈ system roles).
+  test("suppresses server ACL when owner=supabase_admin (existing */owner rule)", () => {
+    const change = serverPrivilegeChange({
+      name: "platform_server",
+      owner: "supabase_admin",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+  test("preserves server ACL when owner=postgres", () => {
+    const change = serverPrivilegeChange({
+      name: "user_dblink_server",
+      owner: "postgres",
+    });
+    expect(evaluatePattern(filter, change)).toBe(true);
+  });
+  // Non-privilege FDW changes whose handler/validator aren't in
+  // `extensions.*` should still pass through (a user FDW is plain DDL,
+  // not the platform-managed flavor).
+  test("preserves non-privilege FDW changes for user wrappers", () => {
+    const change = fdwChange("create", {
+      name: "user_fdw",
+      owner: "postgres",
+      handler: "public.my_fdw_handler",
+      validator: null,
+    });
+    expect(evaluatePattern(filter, change)).toBe(true);
+  });
+});

package/src/core/integrations/supabase.ts CHANGED Viewed

@@ -99,6 +99,34 @@ export const supabase: IntegrationDSL = {
         operation: "drop",
         scope: "object",
       },
+      // Include user-attached triggers on tables in Supabase-managed schemas.
+      //
+      // Triggers live in the schema of the table they fire on, so a user
+      // trigger on `auth.users` reports `trigger/schema = auth` and is
+      // otherwise indistinguishable from Supabase's own triggers via the
+      // schema-level deny list. Triggers also have no real owner — pg-delta
+      // surfaces the parent table's owner as `trigger/owner`, which for
+      // `auth.users` and `storage.objects` is always a Supabase system role,
+      // so the owner-level deny list catches them too.
+      //
+      // The trigger function, however, is genuinely user-owned: a customer
+      // who wants to run code on an auth event creates a function in
+      // `public` (or any non-managed schema) and points the trigger at it.
+      // Supabase's own auth/storage triggers either come from extensions
+      // (already filtered out at extract time via `pg_depend`) or call
+      // functions inside the same managed schema, so `function_schema`
+      // outside the managed list is a reliable user-defined marker.
+      {
+        and: [
+          { objectType: "trigger" },
+          { "trigger/schema": [...SUPABASE_SYSTEM_SCHEMAS] },
+          {
+            not: {
+              "trigger/function_schema": [...SUPABASE_SYSTEM_SCHEMAS],
+            },
+          },
+        ],
+      },
       // Exclude system objects
       {
         not: {
@@ -131,6 +159,62 @@ export const supabase: IntegrationDSL = {
                 },
               ],
             },
+            // Platform-managed foreign data wrapper ACL.
+            // `GRANT`/`REVOKE ... ON FOREIGN DATA WRAPPER` requires
+            // superuser. On Supabase Cloud `postgres` has the elevated
+            // rights to make this work, but the local Docker image does
+            // not, so `supabase db reset` aborts with
+            // `permission denied for foreign-data wrapper`. The
+            // `*/owner` rule above already covers wrappers owned by
+            // `supabase_admin`, but `pg_dump` rewrites OWNER TO clauses
+            // to whoever the dump runs under, so after a restore the
+            // FDW typically ends up owned by `postgres` and slips past
+            // the owner gate. A non-superuser `postgres` still can't
+            // grant on a FDW (this is true regardless of who owns the
+            // wrapper locally), so the ACL diff is not user-replayable.
+            // We don't apply the same blanket rule to `FOREIGN SERVER`:
+            // server GRANT/REVOKE doesn't require superuser, and
+            // user-created servers (e.g. a `dblink` server pointing to
+            // a peer DB) carry legitimate user ACL that should
+            // roundtrip — the existing `*/owner` rule already drops
+            // platform-managed servers.
+            {
+              and: [
+                { objectType: "foreign_data_wrapper" },
+                { scope: "privilege" },
+              ],
+            },
+            // Platform-managed foreign data wrappers — Wasm-based FDWs
+            // (e.g. `clerk`, `clerk_oauth`) whose handler/validator live in
+            // the `extensions` schema. `CREATE FOREIGN DATA WRAPPER`
+            // requires superuser, and Supabase Cloud provisions these via
+            // `supabase_admin` at project creation; replaying the DDL
+            // against a local image fails because the local environment
+            // has no equivalent pre-step. We can't rely on the FDW owner
+            // alone — after a dump/restore the owner is often rewritten
+            // away from `supabase_admin` — so match on the function
+            // reference instead.
+            {
+              and: [
+                { objectType: "foreign_data_wrapper" },
+                {
+                  or: [
+                    {
+                      "foreign_data_wrapper/handler": {
+                        op: "regex",
+                        value: "^extensions\\.",
+                      },
+                    },
+                    {
+                      "foreign_data_wrapper/validator": {
+                        op: "regex",
+                        value: "^extensions\\.",
+                      },
+                    },
+                  ],
+                },
+              ],
+            },
           ],
         },
       },

package/src/core/objects/aggregate/changes/aggregate.privilege.test.ts CHANGED Viewed

@@ -92,6 +92,85 @@ describe("aggregate.privilege", () => {
     );
   });
+  // Regression for CLI-1471: ordered-set / hypothetical-set / variadic
+  // aggregates have `identity_arguments` that include `ORDER BY` or
+  // `VARIADIC` keywords. Those keywords are rejected by
+  // `GRANT ... ON FUNCTION (...)` (only positional argument types are
+  // accepted there), so the serializer must drop back to the
+  // `proargtypes`-derived `argument_types` list.
+  test("grant on ordered-set aggregate emits proargtypes signature", async () => {
+    const aggregate = new Aggregate({
+      ...base,
+      name: "os_last",
+      aggkind: "o",
+      identity_arguments: "anyelement ORDER BY anyelement",
+      argument_types: ["anyelement", "anyelement"],
+      return_type: "anyelement",
+      transition_function: "public.os_last_sfunc(anyelement,anyelement)",
+      state_data_type: "anyelement",
+      argument_count: 2,
+    });
+    const change = new GrantAggregatePrivileges({
+      aggregate,
+      grantee: "role_exec",
+      privileges: [{ privilege: "EXECUTE", grantable: false }],
+      version: 170000,
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "GRANT ALL ON FUNCTION public.os_last(anyelement, anyelement) TO role_exec",
+    );
+  });
+  test("revoke on hypothetical-set aggregate emits proargtypes signature", async () => {
+    const aggregate = new Aggregate({
+      ...base,
+      name: "hyp_rank",
+      aggkind: "h",
+      identity_arguments: 'VARIADIC "any" ORDER BY VARIADIC "any"',
+      argument_types: ['"any"'],
+      return_type: "bigint",
+      transition_function:
+        'pg_catalog.ordered_set_transition_multi(internal,"any")',
+      state_data_type: "internal",
+      argument_count: 1,
+    });
+    const change = new RevokeAggregatePrivileges({
+      aggregate,
+      grantee: "role_old",
+      privileges: [{ privilege: "EXECUTE", grantable: false }],
+      version: 170000,
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      'REVOKE ALL ON FUNCTION public.hyp_rank("any") FROM role_old',
+    );
+  });
+  test("revoke grant option on ordered-set aggregate emits proargtypes signature", async () => {
+    const aggregate = new Aggregate({
+      ...base,
+      name: "os_last",
+      aggkind: "o",
+      identity_arguments: "anyelement ORDER BY anyelement",
+      argument_types: ["anyelement", "anyelement"],
+      return_type: "anyelement",
+      transition_function: "public.os_last_sfunc(anyelement,anyelement)",
+      state_data_type: "anyelement",
+      argument_count: 2,
+    });
+    const change = new RevokeGrantOptionAggregatePrivileges({
+      aggregate,
+      grantee: "role_with_option",
+      privilegeNames: ["EXECUTE"],
+      version: 170000,
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "REVOKE GRANT OPTION FOR ALL ON FUNCTION public.os_last(anyelement, anyelement) FROM role_with_option",
+    );
+  });
   test("revoke privileges and grant option", async () => {
     const aggregate = new Aggregate(base);
     const revoke = new RevokeAggregatePrivileges({

package/src/core/objects/aggregate/changes/aggregate.privilege.ts CHANGED Viewed

@@ -12,6 +12,25 @@ export type AggregatePrivilege =
   | RevokeAggregatePrivileges
   | RevokeGrantOptionAggregatePrivileges;
+/**
+ * Build the signature `<schema>.<name>(<argtypes>)` for use inside
+ * `GRANT`/`REVOKE ... ON FUNCTION (...)`.
+ *
+ * The aggregate's `identityArguments` (from
+ * `pg_get_function_identity_arguments`) embeds `ORDER BY` for ordered-set
+ * and hypothetical-set aggregates (`aggkind` of `o`/`h`) and `VARIADIC`
+ * for variadic aggregates — both of which the GRANT parser rejects with
+ * a syntax error. PostgreSQL resolves the aggregate from the positional
+ * argument types alone, so use `argument_types` here regardless of
+ * `aggkind`. Other aggregate DDL (`ALTER AGGREGATE`, `COMMENT ON
+ * AGGREGATE`, `SECURITY LABEL ON AGGREGATE`, `DROP AGGREGATE`) accepts
+ * the identity form and keeps using it.
+ */
+function aggregateGrantSignature(aggregate: Aggregate): string {
+  const args = (aggregate.argument_types ?? []).join(", ");
+  return `${aggregate.schema}.${aggregate.name}(${args})`;
+}
 export class GrantAggregatePrivileges extends AlterAggregateChange {
   public readonly aggregate: Aggregate;
   public readonly grantee: string;
@@ -52,9 +71,7 @@ export class GrantAggregatePrivileges extends AlterAggregateChange {
     const kindPrefix = getObjectKindPrefix("FUNCTION");
     const list = this.privileges.map((p) => p.privilege);
     const privSql = formatObjectPrivilegeList("FUNCTION", list, this.version);
-    const aggregateName = `${this.aggregate.schema}.${this.aggregate.name}`;
-    const signature = this.aggregate.identityArguments;
-    const qualified = `${aggregateName}(${signature})`;
+    const qualified = aggregateGrantSignature(this.aggregate);
     return `GRANT ${privSql} ${kindPrefix} ${qualified} TO ${this.grantee}${withGrant}`;
   }
 }
@@ -97,9 +114,7 @@ export class RevokeAggregatePrivileges extends AlterAggregateChange {
     const kindPrefix = getObjectKindPrefix("FUNCTION");
     const list = this.privileges.map((p) => p.privilege);
     const privSql = formatObjectPrivilegeList("FUNCTION", list, this.version);
-    const aggregateName = `${this.aggregate.schema}.${this.aggregate.name}`;
-    const signature = this.aggregate.identityArguments;
-    const qualified = `${aggregateName}(${signature})`;
+    const qualified = aggregateGrantSignature(this.aggregate);
     return `REVOKE ${privSql} ${kindPrefix} ${qualified} FROM ${this.grantee}`;
   }
 }
@@ -139,9 +154,7 @@ export class RevokeGrantOptionAggregatePrivileges extends AlterAggregateChange {
       this.privilegeNames,
       this.version,
     );
-    const aggregateName = `${this.aggregate.schema}.${this.aggregate.name}`;
-    const signature = this.aggregate.identityArguments;
-    const qualified = `${aggregateName}(${signature})`;
+    const qualified = aggregateGrantSignature(this.aggregate);
     return `REVOKE GRANT OPTION FOR ${privSql} ${kindPrefix} ${qualified} FROM ${this.grantee}`;
   }
 }