npm - @supabase/pg-delta - Versions diffs - 1.0.0-alpha.26 → 1.0.0-alpha.28 - Mend

@supabase/pg-delta 1.0.0-alpha.26 → 1.0.0-alpha.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

package/src/core/catalog.diff.test.ts ADDED Viewed

@@ -0,0 +1,173 @@
+import { describe, expect, test } from "bun:test";
+import { diffCatalogs } from "./catalog.diff.ts";
+import { Catalog, createEmptyCatalog } from "./catalog.model.ts";
+import { Role, type RoleProps } from "./objects/role/role.model.ts";
+import {
+  GrantViewPrivileges,
+  RevokeViewPrivileges,
+} from "./objects/view/changes/view.privilege.ts";
+import { View, type ViewProps } from "./objects/view/view.model.ts";
+const idColumn: ViewProps["columns"][number] = {
+  name: "id",
+  position: 1,
+  data_type: "integer",
+  data_type_str: "integer",
+  is_custom_type: false,
+  custom_type_type: null,
+  custom_type_category: null,
+  custom_type_schema: null,
+  custom_type_name: null,
+  not_null: false,
+  is_identity: false,
+  is_identity_always: false,
+  is_generated: false,
+  collation: null,
+  default: null,
+  comment: null,
+};
+const nameColumn: ViewProps["columns"][number] = {
+  name: "name",
+  position: 2,
+  data_type: "text",
+  data_type_str: "text",
+  is_custom_type: false,
+  custom_type_type: null,
+  custom_type_category: null,
+  custom_type_schema: null,
+  custom_type_name: null,
+  not_null: false,
+  is_identity: false,
+  is_identity_always: false,
+  is_generated: false,
+  collation: null,
+  default: null,
+  comment: null,
+};
+const baseView: ViewProps = {
+  schema: "public",
+  name: "replaced_view",
+  definition: "SELECT id FROM source_table",
+  row_security: false,
+  force_row_security: false,
+  has_indexes: false,
+  has_rules: false,
+  has_triggers: false,
+  has_subclasses: false,
+  is_populated: true,
+  replica_identity: "d",
+  is_partition: false,
+  options: null,
+  partition_bound: null,
+  owner: "postgres",
+  comment: null,
+  columns: [idColumn],
+  privileges: [],
+};
+const makeView = (override: Partial<ViewProps> = {}) =>
+  new View({
+    ...baseView,
+    ...override,
+    columns: override.columns ?? [...baseView.columns],
+    privileges: override.privileges ?? [...baseView.privileges],
+  });
+const makeRole = (name: string, override: Partial<RoleProps> = {}) =>
+  new Role({
+    name,
+    is_superuser: false,
+    can_inherit: true,
+    can_create_roles: false,
+    can_create_databases: false,
+    can_login: true,
+    can_replicate: false,
+    connection_limit: null,
+    can_bypass_rls: false,
+    config: null,
+    comment: null,
+    members: [],
+    default_privileges: [],
+    security_labels: [],
+    ...override,
+  });
+describe("catalog.diff", () => {
+  test("keeps replacement-created view grants through dropped-target privilege filtering", async () => {
+    const baseline = await createEmptyCatalog(170000, "postgres");
+    const mainView = makeView();
+    const branchView = makeView({
+      definition: "SELECT id, name FROM source_table",
+      columns: [...mainView.columns, nameColumn],
+      privileges: [
+        { grantee: "view_reader", privilege: "SELECT", grantable: false },
+      ],
+    });
+    const main = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...baseline,
+      views: { [mainView.stableId]: mainView },
+    });
+    const branch = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...baseline,
+      views: { [branchView.stableId]: branchView },
+    });
+    const changes = diffCatalogs(main, branch);
+    expect(
+      changes.some((change) => change instanceof GrantViewPrivileges),
+    ).toBe(true);
+  });
+  test("keeps replacement-created view revokes through dropped-target privilege filtering", async () => {
+    const baseline = await createEmptyCatalog(170000, "postgres");
+    const mainView = makeView();
+    const branchView = makeView({
+      definition: "SELECT id, name FROM source_table",
+      columns: [...mainView.columns, nameColumn],
+    });
+    const postgres = makeRole("postgres", {
+      default_privileges: [
+        {
+          in_schema: "public",
+          objtype: "r",
+          grantee: "view_reader",
+          privileges: [{ privilege: "SELECT", grantable: false }],
+          is_implicit: false,
+        },
+      ],
+    });
+    const viewReader = makeRole("view_reader");
+    const roles = {
+      [postgres.stableId]: postgres,
+      [viewReader.stableId]: viewReader,
+    };
+    const main = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...baseline,
+      roles,
+      views: { [mainView.stableId]: mainView },
+    });
+    const branch = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...baseline,
+      roles,
+      views: { [branchView.stableId]: branchView },
+    });
+    // The recreated view inherits SELECT from default privileges, but the
+    // branch model wants no explicit reader ACL. The replacement filter must
+    // keep the generated REVOKE even though the old view stable id is dropped.
+    const changes = diffCatalogs(main, branch);
+    expect(
+      changes.some((change) => change instanceof RevokeViewPrivileges),
+    ).toBe(true);
+  });
+});

package/src/core/catalog.diff.ts CHANGED Viewed

@@ -217,19 +217,39 @@ export function diffCatalogs(
     ...diffForeignTables(diffContext, main.foreignTables, branch.foreignTables),
   );
-  // Filter privilege REVOKEs for objects that are being dropped
-  // Avoid emitting redundant REVOKE statements for targets that will no longer exist.
+  // Filter privilege changes for objects that are only being dropped.
+  // Avoid emitting redundant ACL statements for targets that will no longer exist.
   const droppedObjectStableIds = new Set<string>();
+  const createdStableIds = new Set<string>();
   for (const change of changes) {
     if (change.operation === "drop" && change.scope === "object") {
       for (const dep of change.requires) {
         droppedObjectStableIds.add(dep);
       }
     }
+    if (change.operation === "create" && change.scope === "object") {
+      for (const dep of change.creates) {
+        createdStableIds.add(dep);
+      }
+    }
   }
+  // A pure DROP does not need ACL cleanup: the target object is going away.
+  // A replacement is different: it has both DROP and CREATE for the same stable
+  // id, and its privilege ALTERs describe the ACL state of the newly created
+  // object. Keep all of them, including REVOKE/REVOKE GRANT OPTION generated to
+  // subtract privileges inherited from ALTER DEFAULT PRIVILEGES at create time.
+  const replacementStableIds = new Set(
+    [...droppedObjectStableIds].filter((id) => createdStableIds.has(id)),
+  );
   let filteredChanges = changes.filter((change) => {
     if (change.operation === "alter" && change.scope === "privilege") {
-      return !droppedObjectStableIds.has(getPrivilegeTargetStableId(change));
+      const targetStableId = getPrivilegeTargetStableId(change);
+      // Checking only privilege creates would keep replacement GRANTs but drop
+      // replacement REVOKEs, so preserve by replacement target stable id instead.
+      if (replacementStableIds.has(targetStableId)) {
+        return true;
+      }
+      return !droppedObjectStableIds.has(targetStableId);
     }
     return true;
   });
@@ -238,6 +258,7 @@ export function diffCatalogs(
     changes: filteredChanges,
     mainCatalog: main,
     branchCatalog: branch,
+    diffContext,
   });
   filteredChanges = normalizePostDiffChanges({
     changes: expandedDependencies.changes,

package/src/core/catalog.filter.ts ADDED Viewed

@@ -0,0 +1,96 @@
+/**
+ * Prune a catalog to the objects that match a Filter DSL expression.
+ *
+ * The Filter DSL is defined over Change objects, so the catalog is
+ * diffed against an empty baseline first to materialize one CREATE
+ * change per object. The filter then evaluates against the same shape
+ * it would at plan time, and the surviving stableIds drive the prune.
+ *
+ * Dependency cascade is not applied. A scoped snapshot is partial by
+ * design: out-of-scope owners, roles, and types must exist on the
+ * target DB at apply time. Cascading would expand the filter beyond
+ * what the caller asked for and, in practice, collapse schema-scoped
+ * exports whose kept objects reference cluster-scoped owners.
+ */
+import { diffCatalogs } from "./catalog.diff.ts";
+import { Catalog, createEmptyCatalog } from "./catalog.model.ts";
+import { compileFilterDSL, type FilterDSL } from "./integrations/filter/dsl.ts";
+export async function filterCatalog(
+  catalog: Catalog,
+  filter: FilterDSL,
+): Promise<Catalog> {
+  if (
+    typeof filter === "object" &&
+    filter !== null &&
+    (filter as Record<string, unknown>).cascade === true
+  ) {
+    throw new Error(
+      "Filter DSL `cascade: true` is not supported by catalog-export: " +
+        "scoped snapshots are intentionally partial. Out-of-scope owners, " +
+        "roles, and types must exist on the target DB at apply time.",
+    );
+  }
+  const empty = await createEmptyCatalog(catalog.version, catalog.currentUser);
+  const changes = diffCatalogs(empty, catalog);
+  const filterFn = compileFilterDSL(filter);
+  const keep = new Set<string>();
+  for (const change of changes) {
+    if (!filterFn(change)) continue;
+    for (const id of change.creates ?? []) keep.add(id);
+  }
+  return pruneCatalog(catalog, keep);
+}
+function filterRecord<T>(
+  record: Record<string, T>,
+  keep: ReadonlySet<string>,
+): Record<string, T> {
+  return Object.fromEntries(
+    Object.entries(record).filter(([id]) => keep.has(id)),
+  );
+}
+function pruneCatalog(catalog: Catalog, keep: ReadonlySet<string>): Catalog {
+  const tables = filterRecord(catalog.tables, keep);
+  const materializedViews = filterRecord(catalog.materializedViews, keep);
+  return new Catalog({
+    aggregates: filterRecord(catalog.aggregates, keep),
+    collations: filterRecord(catalog.collations, keep),
+    compositeTypes: filterRecord(catalog.compositeTypes, keep),
+    domains: filterRecord(catalog.domains, keep),
+    enums: filterRecord(catalog.enums, keep),
+    extensions: filterRecord(catalog.extensions, keep),
+    procedures: filterRecord(catalog.procedures, keep),
+    indexes: filterRecord(catalog.indexes, keep),
+    materializedViews,
+    subscriptions: filterRecord(catalog.subscriptions, keep),
+    publications: filterRecord(catalog.publications, keep),
+    rlsPolicies: filterRecord(catalog.rlsPolicies, keep),
+    roles: filterRecord(catalog.roles, keep),
+    schemas: filterRecord(catalog.schemas, keep),
+    sequences: filterRecord(catalog.sequences, keep),
+    tables,
+    triggers: filterRecord(catalog.triggers, keep),
+    eventTriggers: filterRecord(catalog.eventTriggers, keep),
+    rules: filterRecord(catalog.rules, keep),
+    ranges: filterRecord(catalog.ranges, keep),
+    views: filterRecord(catalog.views, keep),
+    foreignDataWrappers: filterRecord(catalog.foreignDataWrappers, keep),
+    servers: filterRecord(catalog.servers, keep),
+    userMappings: filterRecord(catalog.userMappings, keep),
+    foreignTables: filterRecord(catalog.foreignTables, keep),
+    depends: catalog.depends.filter(
+      (d) =>
+        keep.has(d.dependent_stable_id) && keep.has(d.referenced_stable_id),
+    ),
+    indexableObjects: { ...tables, ...materializedViews },
+    version: catalog.version,
+    currentUser: catalog.currentUser,
+  });
+}

package/src/core/catalog.model.ts CHANGED Viewed

@@ -182,8 +182,10 @@ let _pg1516Baseline: Catalog | null = null;
 let _pg17Baseline: Catalog | null = null;
 async function loadBaselineJson(): Promise<Record<string, unknown>> {
-  const mod =
-    await import("./fixtures/empty-catalogs/postgres-15-16-baseline.json");
+  const mod = await import(
+    "./fixtures/empty-catalogs/postgres-15-16-baseline.json",
+    { with: { type: "json" } }
+  );
   return mod.default as Record<string, unknown>;
 }
@@ -447,6 +449,8 @@ function normalizeCatalog(catalog: Catalog): Catalog {
       options: redactSensitiveOptionPairs(server.options),
       comment: server.comment,
       privileges: server.privileges,
+      wrapper_handler: server.wrapper_handler,
+      wrapper_validator: server.wrapper_validator,
     });
   });
@@ -455,6 +459,8 @@ function normalizeCatalog(catalog: Catalog): Catalog {
       user: mapping.user,
       server: mapping.server,
       options: redactSensitiveOptionPairs(mapping.options),
+      wrapper_handler: mapping.wrapper_handler,
+      wrapper_validator: mapping.wrapper_validator,
     });
   });
@@ -470,6 +476,8 @@ function normalizeCatalog(catalog: Catalog): Catalog {
         options: redactSensitiveOptionPairs(foreignTable.options),
         comment: foreignTable.comment,
         privileges: foreignTable.privileges,
+        wrapper_handler: foreignTable.wrapper_handler,
+        wrapper_validator: foreignTable.wrapper_validator,
       }),
   );

package/src/core/expand-replace-dependencies.test.ts CHANGED Viewed

@@ -6,6 +6,14 @@ import { DefaultPrivilegeState } from "./objects/base.default-privileges.ts";
 import { CreateProcedure } from "./objects/procedure/changes/procedure.create.ts";
 import { DropProcedure } from "./objects/procedure/changes/procedure.drop.ts";
 import { Procedure } from "./objects/procedure/procedure.model.ts";
+import {
+  AlterRlsPolicySetUsingExpression,
+  AlterRlsPolicySetWithCheckExpression,
+} from "./objects/rls-policy/changes/rls-policy.alter.ts";
+import { CreateCommentOnRlsPolicy } from "./objects/rls-policy/changes/rls-policy.comment.ts";
+import { CreateRlsPolicy } from "./objects/rls-policy/changes/rls-policy.create.ts";
+import { DropRlsPolicy } from "./objects/rls-policy/changes/rls-policy.drop.ts";
+import { RlsPolicy } from "./objects/rls-policy/rls-policy.model.ts";
 import { CreateSequence } from "./objects/sequence/changes/sequence.create.ts";
 import { DropSequence } from "./objects/sequence/changes/sequence.drop.ts";
 import { diffSequences } from "./objects/sequence/sequence.diff.ts";
@@ -40,6 +48,7 @@ function mockChange(overrides: {
     scope: "object",
     creates,
     drops,
+    invalidates: [],
     requires: [],
     table: { schema: "public", name: "t" },
     serialize: () => [],
@@ -49,6 +58,20 @@ function mockChange(overrides: {
   } as unknown as Change;
 }
+function mockInvalidatingChange(invalidates: string[]): Change {
+  return {
+    objectType: "table",
+    operation: "alter",
+    scope: "object",
+    creates: [],
+    drops: [],
+    invalidates,
+    requires: [],
+    table: { schema: "public", name: "t" },
+    serialize: () => "",
+  } as unknown as Change;
+}
 describe("expandReplaceDependencies", () => {
   test("returns changes unchanged when there are no replace roots", async () => {
     const catalog = await createEmptyCatalog(160004, "u");
@@ -695,4 +718,263 @@ describe("expandReplaceDependencies", () => {
     expect(expanded.changes.some((c) => c instanceof DropView)).toBe(true);
   });
+  test("promotes dependent RLS policy when a procedure's signature changes", async () => {
+    const baseline = await createEmptyCatalog(170000, "postgres");
+    const procedureBase = {
+      schema: "public",
+      name: "check_role",
+      kind: "f" as const,
+      return_type: "boolean",
+      return_type_schema: "pg_catalog",
+      language: "plpgsql",
+      security_definer: false,
+      volatility: "v" as const,
+      parallel_safety: "u" as const,
+      execution_cost: 100,
+      result_rows: 0,
+      is_strict: false,
+      leakproof: false,
+      returns_set: false,
+      argument_names: ["id", "role"],
+      all_argument_types: null,
+      argument_modes: null,
+      source_code: "BEGIN RETURN true; END;",
+      binary_path: null,
+      sql_body: null,
+      config: null,
+      owner: "postgres",
+      comment: null,
+      privileges: [],
+    };
+    const mainProcedure = new Procedure({
+      ...procedureBase,
+      argument_count: 2,
+      argument_default_count: 0,
+      argument_types: ["uuid", "text"],
+      argument_defaults: null,
+      definition:
+        "CREATE FUNCTION public.check_role(id uuid, role text) RETURNS boolean ...",
+    });
+    const branchProcedure = new Procedure({
+      ...procedureBase,
+      argument_count: 3,
+      argument_default_count: 1,
+      argument_names: ["id", "role", "extra"],
+      argument_types: ["uuid", "text", "text"],
+      argument_defaults: "'default'::text",
+      definition:
+        "CREATE FUNCTION public.check_role(id uuid, role text, extra text DEFAULT 'default'::text) RETURNS boolean ...",
+    });
+    const policyBase = {
+      schema: "public",
+      table_name: "profiles",
+      name: "check_role_policy",
+      command: "r" as const,
+      permissive: true,
+      roles: ["public"],
+      using_expression: "public.check_role(id, role)",
+      with_check_expression: null,
+      owner: "postgres",
+      comment: "policy comment",
+      referenced_relations: [],
+    };
+    const mainPolicy = new RlsPolicy({
+      ...policyBase,
+      referenced_procedures: [
+        {
+          schema: "public",
+          name: "check_role",
+          argument_types: ["uuid", "text"],
+        },
+      ],
+    });
+    const branchPolicy = new RlsPolicy({
+      ...policyBase,
+      referenced_procedures: [
+        {
+          schema: "public",
+          name: "check_role",
+          argument_types: ["uuid", "text", "text"],
+        },
+      ],
+    });
+    const changes: Change[] = [
+      new DropProcedure({ procedure: mainProcedure }),
+      new CreateProcedure({ procedure: branchProcedure }),
+    ];
+    const mainCatalog = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...baseline,
+      procedures: { [mainProcedure.stableId]: mainProcedure },
+      rlsPolicies: { [mainPolicy.stableId]: mainPolicy },
+      depends: [
+        {
+          dependent_stable_id: mainPolicy.stableId,
+          referenced_stable_id: mainProcedure.stableId,
+          deptype: "n",
+        },
+      ],
+    });
+    const branchCatalog = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...baseline,
+      procedures: { [branchProcedure.stableId]: branchProcedure },
+      rlsPolicies: { [branchPolicy.stableId]: branchPolicy },
+      depends: [],
+    });
+    const expanded = expandReplaceDependencies({
+      changes,
+      mainCatalog,
+      branchCatalog,
+    });
+    expect(expanded.changes.some((c) => c instanceof DropRlsPolicy)).toBe(true);
+    expect(expanded.changes.some((c) => c instanceof CreateRlsPolicy)).toBe(
+      true,
+    );
+    expect(
+      expanded.changes.some((c) => c instanceof CreateCommentOnRlsPolicy),
+    ).toBe(true);
+  });
+  test("promotes dependent RLS policy when a referenced column is invalidated", async () => {
+    const baseline = await createEmptyCatalog(170000, "postgres");
+    const columnTemplate = {
+      position: 1,
+      data_type: "text",
+      data_type_str: "text",
+      is_custom_type: false,
+      custom_type_type: null,
+      custom_type_category: null,
+      custom_type_schema: null,
+      custom_type_name: null,
+      not_null: true,
+      is_identity: false,
+      is_identity_always: false,
+      is_generated: false,
+      collation: null,
+      default: null,
+      comment: null,
+    };
+    const tableBase = {
+      schema: "public",
+      name: "solution_categories_with_policy",
+      persistence: "p" as const,
+      row_security: true,
+      force_row_security: false,
+      has_indexes: false,
+      has_rules: false,
+      has_triggers: false,
+      has_subclasses: false,
+      is_populated: true,
+      replica_identity: "d" as const,
+      is_partition: false,
+      options: null,
+      partition_bound: null,
+      partition_by: null,
+      owner: "postgres",
+      comment: null,
+      parent_schema: null,
+      parent_name: null,
+      constraints: [],
+      privileges: [],
+    };
+    const mainRoleColumn = {
+      ...columnTemplate,
+      name: "role",
+    };
+    const branchRoleColumn = {
+      ...columnTemplate,
+      name: "role",
+      data_type: "user_role_enum",
+      data_type_str: "public.user_role_enum",
+      is_custom_type: true,
+      custom_type_type: "e",
+      custom_type_category: "E",
+      custom_type_schema: "public",
+      custom_type_name: "user_role_enum",
+    };
+    const mainTable = new Table({
+      ...tableBase,
+      columns: [mainRoleColumn],
+    });
+    const branchTable = new Table({
+      ...tableBase,
+      columns: [branchRoleColumn],
+    });
+    const policyBase = {
+      schema: "public",
+      table_name: "solution_categories_with_policy",
+      name: "categories_admin_manage",
+      command: "*" as const,
+      permissive: true,
+      roles: ["public"],
+      owner: "postgres",
+      comment: null,
+      referenced_relations: [],
+      referenced_procedures: [],
+    };
+    const mainPolicy = new RlsPolicy({
+      ...policyBase,
+      using_expression: "role = 'admin'",
+      with_check_expression: "role = 'admin'",
+    });
+    const branchPolicy = new RlsPolicy({
+      ...policyBase,
+      using_expression: "role = 'admin'::public.user_role_enum",
+      with_check_expression: "role = 'admin'::public.user_role_enum",
+    });
+    const alterUsing = new AlterRlsPolicySetUsingExpression({
+      policy: mainPolicy,
+      usingExpression: branchPolicy.using_expression,
+    });
+    const alterWithCheck = new AlterRlsPolicySetWithCheckExpression({
+      policy: mainPolicy,
+      withCheckExpression: branchPolicy.with_check_expression,
+    });
+    const changes: Change[] = [
+      mockInvalidatingChange([
+        "column:public.solution_categories_with_policy.role",
+      ]),
+      alterUsing,
+      alterWithCheck,
+    ];
+    const mainCatalog = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...baseline,
+      tables: { [mainTable.stableId]: mainTable },
+      rlsPolicies: { [mainPolicy.stableId]: mainPolicy },
+      depends: [
+        {
+          dependent_stable_id: mainPolicy.stableId,
+          referenced_stable_id:
+            "column:public.solution_categories_with_policy.role",
+          deptype: "n",
+        },
+      ],
+    });
+    const branchCatalog = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...baseline,
+      tables: { [branchTable.stableId]: branchTable },
+      rlsPolicies: { [branchPolicy.stableId]: branchPolicy },
+      depends: [],
+    });
+    const expanded = expandReplaceDependencies({
+      changes,
+      mainCatalog,
+      branchCatalog,
+    });
+    expect(expanded.changes.some((c) => c instanceof DropRlsPolicy)).toBe(true);
+    expect(expanded.changes.some((c) => c instanceof CreateRlsPolicy)).toBe(
+      true,
+    );
+    expect(expanded.changes).not.toContain(alterUsing);
+    expect(expanded.changes).not.toContain(alterWithCheck);
+  });
 });