@supabase/pg-delta 1.0.0-alpha.27 → 1.0.0-alpha.29

package/src/core/catalog.diff.test.ts

@@ -0,0 +1,173 @@
+import { describe, expect, test } from "bun:test";
+import { diffCatalogs } from "./catalog.diff.ts";
+import { Catalog, createEmptyCatalog } from "./catalog.model.ts";
+import { Role, type RoleProps } from "./objects/role/role.model.ts";
+import {
+  GrantViewPrivileges,
+  RevokeViewPrivileges,
+} from "./objects/view/changes/view.privilege.ts";
+import { View, type ViewProps } from "./objects/view/view.model.ts";
+
+const idColumn: ViewProps["columns"][number] = {
+  name: "id",
+  position: 1,
+  data_type: "integer",
+  data_type_str: "integer",
+  is_custom_type: false,
+  custom_type_type: null,
+  custom_type_category: null,
+  custom_type_schema: null,
+  custom_type_name: null,
+  not_null: false,
+  is_identity: false,
+  is_identity_always: false,
+  is_generated: false,
+  collation: null,
+  default: null,
+  comment: null,
+};
+
+const nameColumn: ViewProps["columns"][number] = {
+  name: "name",
+  position: 2,
+  data_type: "text",
+  data_type_str: "text",
+  is_custom_type: false,
+  custom_type_type: null,
+  custom_type_category: null,
+  custom_type_schema: null,
+  custom_type_name: null,
+  not_null: false,
+  is_identity: false,
+  is_identity_always: false,
+  is_generated: false,
+  collation: null,
+  default: null,
+  comment: null,
+};
+
+const baseView: ViewProps = {
+  schema: "public",
+  name: "replaced_view",
+  definition: "SELECT id FROM source_table",
+  row_security: false,
+  force_row_security: false,
+  has_indexes: false,
+  has_rules: false,
+  has_triggers: false,
+  has_subclasses: false,
+  is_populated: true,
+  replica_identity: "d",
+  is_partition: false,
+  options: null,
+  partition_bound: null,
+  owner: "postgres",
+  comment: null,
+  columns: [idColumn],
+  privileges: [],
+};
+
+const makeView = (override: Partial<ViewProps> = {}) =>
+  new View({
+    ...baseView,
+    ...override,
+    columns: override.columns ?? [...baseView.columns],
+    privileges: override.privileges ?? [...baseView.privileges],
+  });
+
+const makeRole = (name: string, override: Partial<RoleProps> = {}) =>
+  new Role({
+    name,
+    is_superuser: false,
+    can_inherit: true,
+    can_create_roles: false,
+    can_create_databases: false,
+    can_login: true,
+    can_replicate: false,
+    connection_limit: null,
+    can_bypass_rls: false,
+    config: null,
+    comment: null,
+    members: [],
+    default_privileges: [],
+    security_labels: [],
+    ...override,
+  });
+
+describe("catalog.diff", () => {
+  test("keeps replacement-created view grants through dropped-target privilege filtering", async () => {
+    const baseline = await createEmptyCatalog(170000, "postgres");
+    const mainView = makeView();
+    const branchView = makeView({
+      definition: "SELECT id, name FROM source_table",
+      columns: [...mainView.columns, nameColumn],
+      privileges: [
+        { grantee: "view_reader", privilege: "SELECT", grantable: false },
+      ],
+    });
+
+    const main = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...baseline,
+      views: { [mainView.stableId]: mainView },
+    });
+    const branch = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...baseline,
+      views: { [branchView.stableId]: branchView },
+    });
+
+    const changes = diffCatalogs(main, branch);
+
+    expect(
+      changes.some((change) => change instanceof GrantViewPrivileges),
+    ).toBe(true);
+  });
+
+  test("keeps replacement-created view revokes through dropped-target privilege filtering", async () => {
+    const baseline = await createEmptyCatalog(170000, "postgres");
+    const mainView = makeView();
+    const branchView = makeView({
+      definition: "SELECT id, name FROM source_table",
+      columns: [...mainView.columns, nameColumn],
+    });
+    const postgres = makeRole("postgres", {
+      default_privileges: [
+        {
+          in_schema: "public",
+          objtype: "r",
+          grantee: "view_reader",
+          privileges: [{ privilege: "SELECT", grantable: false }],
+          is_implicit: false,
+        },
+      ],
+    });
+    const viewReader = makeRole("view_reader");
+
+    const roles = {
+      [postgres.stableId]: postgres,
+      [viewReader.stableId]: viewReader,
+    };
+    const main = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...baseline,
+      roles,
+      views: { [mainView.stableId]: mainView },
+    });
+    const branch = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...baseline,
+      roles,
+      views: { [branchView.stableId]: branchView },
+    });
+
+    // The recreated view inherits SELECT from default privileges, but the
+    // branch model wants no explicit reader ACL. The replacement filter must
+    // keep the generated REVOKE even though the old view stable id is dropped.
+    const changes = diffCatalogs(main, branch);
+
+    expect(
+      changes.some((change) => change instanceof RevokeViewPrivileges),
+    ).toBe(true);
+  });
+});

package/src/core/catalog.diff.ts

@@ -217,19 +217,39 @@ export function diffCatalogs(
     ...diffForeignTables(diffContext, main.foreignTables, branch.foreignTables),
   );
 
-  // Filter privilege REVOKEs for objects that are being dropped
-  // Avoid emitting redundant REVOKE statements for targets that will no longer exist.
+  // Filter privilege changes for objects that are only being dropped.
+  // Avoid emitting redundant ACL statements for targets that will no longer exist.
   const droppedObjectStableIds = new Set<string>();
+  const createdStableIds = new Set<string>();
   for (const change of changes) {
     if (change.operation === "drop" && change.scope === "object") {
       for (const dep of change.requires) {
         droppedObjectStableIds.add(dep);
       }
     }
+    if (change.operation === "create" && change.scope === "object") {
+      for (const dep of change.creates) {
+        createdStableIds.add(dep);
+      }
+    }
   }
+  // A pure DROP does not need ACL cleanup: the target object is going away.
+  // A replacement is different: it has both DROP and CREATE for the same stable
+  // id, and its privilege ALTERs describe the ACL state of the newly created
+  // object. Keep all of them, including REVOKE/REVOKE GRANT OPTION generated to
+  // subtract privileges inherited from ALTER DEFAULT PRIVILEGES at create time.
+  const replacementStableIds = new Set(
+    [...droppedObjectStableIds].filter((id) => createdStableIds.has(id)),
+  );
   let filteredChanges = changes.filter((change) => {
     if (change.operation === "alter" && change.scope === "privilege") {
-      return !droppedObjectStableIds.has(getPrivilegeTargetStableId(change));
+      const targetStableId = getPrivilegeTargetStableId(change);
+      // Checking only privilege creates would keep replacement GRANTs but drop
+      // replacement REVOKEs, so preserve by replacement target stable id instead.
+      if (replacementStableIds.has(targetStableId)) {
+        return true;
+      }
+      return !droppedObjectStableIds.has(targetStableId);
     }
     return true;
   });
@@ -238,6 +258,7 @@ export function diffCatalogs(
     changes: filteredChanges,
     mainCatalog: main,
     branchCatalog: branch,
+    diffContext,
   });
   filteredChanges = normalizePostDiffChanges({
     changes: expandedDependencies.changes,

package/src/core/expand-replace-dependencies.test.ts

@@ -6,6 +6,14 @@ import { DefaultPrivilegeState } from "./objects/base.default-privileges.ts";
 import { CreateProcedure } from "./objects/procedure/changes/procedure.create.ts";
 import { DropProcedure } from "./objects/procedure/changes/procedure.drop.ts";
 import { Procedure } from "./objects/procedure/procedure.model.ts";
+import {
+  AlterRlsPolicySetUsingExpression,
+  AlterRlsPolicySetWithCheckExpression,
+} from "./objects/rls-policy/changes/rls-policy.alter.ts";
+import { CreateCommentOnRlsPolicy } from "./objects/rls-policy/changes/rls-policy.comment.ts";
+import { CreateRlsPolicy } from "./objects/rls-policy/changes/rls-policy.create.ts";
+import { DropRlsPolicy } from "./objects/rls-policy/changes/rls-policy.drop.ts";
+import { RlsPolicy } from "./objects/rls-policy/rls-policy.model.ts";
 import { CreateSequence } from "./objects/sequence/changes/sequence.create.ts";
 import { DropSequence } from "./objects/sequence/changes/sequence.drop.ts";
 import { diffSequences } from "./objects/sequence/sequence.diff.ts";
@@ -40,6 +48,7 @@ function mockChange(overrides: {
     scope: "object",
     creates,
     drops,
+    invalidates: [],
     requires: [],
     table: { schema: "public", name: "t" },
     serialize: () => [],
@@ -49,6 +58,20 @@ function mockChange(overrides: {
   } as unknown as Change;
 }
 
+function mockInvalidatingChange(invalidates: string[]): Change {
+  return {
+    objectType: "table",
+    operation: "alter",
+    scope: "object",
+    creates: [],
+    drops: [],
+    invalidates,
+    requires: [],
+    table: { schema: "public", name: "t" },
+    serialize: () => "",
+  } as unknown as Change;
+}
+
 describe("expandReplaceDependencies", () => {
   test("returns changes unchanged when there are no replace roots", async () => {
     const catalog = await createEmptyCatalog(160004, "u");
@@ -695,4 +718,263 @@ describe("expandReplaceDependencies", () => {
 
     expect(expanded.changes.some((c) => c instanceof DropView)).toBe(true);
   });
+
+  test("promotes dependent RLS policy when a procedure's signature changes", async () => {
+    const baseline = await createEmptyCatalog(170000, "postgres");
+    const procedureBase = {
+      schema: "public",
+      name: "check_role",
+      kind: "f" as const,
+      return_type: "boolean",
+      return_type_schema: "pg_catalog",
+      language: "plpgsql",
+      security_definer: false,
+      volatility: "v" as const,
+      parallel_safety: "u" as const,
+      execution_cost: 100,
+      result_rows: 0,
+      is_strict: false,
+      leakproof: false,
+      returns_set: false,
+      argument_names: ["id", "role"],
+      all_argument_types: null,
+      argument_modes: null,
+      source_code: "BEGIN RETURN true; END;",
+      binary_path: null,
+      sql_body: null,
+      config: null,
+      owner: "postgres",
+      comment: null,
+      privileges: [],
+    };
+    const mainProcedure = new Procedure({
+      ...procedureBase,
+      argument_count: 2,
+      argument_default_count: 0,
+      argument_types: ["uuid", "text"],
+      argument_defaults: null,
+      definition:
+        "CREATE FUNCTION public.check_role(id uuid, role text) RETURNS boolean ...",
+    });
+    const branchProcedure = new Procedure({
+      ...procedureBase,
+      argument_count: 3,
+      argument_default_count: 1,
+      argument_names: ["id", "role", "extra"],
+      argument_types: ["uuid", "text", "text"],
+      argument_defaults: "'default'::text",
+      definition:
+        "CREATE FUNCTION public.check_role(id uuid, role text, extra text DEFAULT 'default'::text) RETURNS boolean ...",
+    });
+    const policyBase = {
+      schema: "public",
+      table_name: "profiles",
+      name: "check_role_policy",
+      command: "r" as const,
+      permissive: true,
+      roles: ["public"],
+      using_expression: "public.check_role(id, role)",
+      with_check_expression: null,
+      owner: "postgres",
+      comment: "policy comment",
+      referenced_relations: [],
+    };
+    const mainPolicy = new RlsPolicy({
+      ...policyBase,
+      referenced_procedures: [
+        {
+          schema: "public",
+          name: "check_role",
+          argument_types: ["uuid", "text"],
+        },
+      ],
+    });
+    const branchPolicy = new RlsPolicy({
+      ...policyBase,
+      referenced_procedures: [
+        {
+          schema: "public",
+          name: "check_role",
+          argument_types: ["uuid", "text", "text"],
+        },
+      ],
+    });
+
+    const changes: Change[] = [
+      new DropProcedure({ procedure: mainProcedure }),
+      new CreateProcedure({ procedure: branchProcedure }),
+    ];
+    const mainCatalog = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...baseline,
+      procedures: { [mainProcedure.stableId]: mainProcedure },
+      rlsPolicies: { [mainPolicy.stableId]: mainPolicy },
+      depends: [
+        {
+          dependent_stable_id: mainPolicy.stableId,
+          referenced_stable_id: mainProcedure.stableId,
+          deptype: "n",
+        },
+      ],
+    });
+    const branchCatalog = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...baseline,
+      procedures: { [branchProcedure.stableId]: branchProcedure },
+      rlsPolicies: { [branchPolicy.stableId]: branchPolicy },
+      depends: [],
+    });
+
+    const expanded = expandReplaceDependencies({
+      changes,
+      mainCatalog,
+      branchCatalog,
+    });
+
+    expect(expanded.changes.some((c) => c instanceof DropRlsPolicy)).toBe(true);
+    expect(expanded.changes.some((c) => c instanceof CreateRlsPolicy)).toBe(
+      true,
+    );
+    expect(
+      expanded.changes.some((c) => c instanceof CreateCommentOnRlsPolicy),
+    ).toBe(true);
+  });
+
+  test("promotes dependent RLS policy when a referenced column is invalidated", async () => {
+    const baseline = await createEmptyCatalog(170000, "postgres");
+    const columnTemplate = {
+      position: 1,
+      data_type: "text",
+      data_type_str: "text",
+      is_custom_type: false,
+      custom_type_type: null,
+      custom_type_category: null,
+      custom_type_schema: null,
+      custom_type_name: null,
+      not_null: true,
+      is_identity: false,
+      is_identity_always: false,
+      is_generated: false,
+      collation: null,
+      default: null,
+      comment: null,
+    };
+    const tableBase = {
+      schema: "public",
+      name: "solution_categories_with_policy",
+      persistence: "p" as const,
+      row_security: true,
+      force_row_security: false,
+      has_indexes: false,
+      has_rules: false,
+      has_triggers: false,
+      has_subclasses: false,
+      is_populated: true,
+      replica_identity: "d" as const,
+      is_partition: false,
+      options: null,
+      partition_bound: null,
+      partition_by: null,
+      owner: "postgres",
+      comment: null,
+      parent_schema: null,
+      parent_name: null,
+      constraints: [],
+      privileges: [],
+    };
+    const mainRoleColumn = {
+      ...columnTemplate,
+      name: "role",
+    };
+    const branchRoleColumn = {
+      ...columnTemplate,
+      name: "role",
+      data_type: "user_role_enum",
+      data_type_str: "public.user_role_enum",
+      is_custom_type: true,
+      custom_type_type: "e",
+      custom_type_category: "E",
+      custom_type_schema: "public",
+      custom_type_name: "user_role_enum",
+    };
+    const mainTable = new Table({
+      ...tableBase,
+      columns: [mainRoleColumn],
+    });
+    const branchTable = new Table({
+      ...tableBase,
+      columns: [branchRoleColumn],
+    });
+    const policyBase = {
+      schema: "public",
+      table_name: "solution_categories_with_policy",
+      name: "categories_admin_manage",
+      command: "*" as const,
+      permissive: true,
+      roles: ["public"],
+      owner: "postgres",
+      comment: null,
+      referenced_relations: [],
+      referenced_procedures: [],
+    };
+    const mainPolicy = new RlsPolicy({
+      ...policyBase,
+      using_expression: "role = 'admin'",
+      with_check_expression: "role = 'admin'",
+    });
+    const branchPolicy = new RlsPolicy({
+      ...policyBase,
+      using_expression: "role = 'admin'::public.user_role_enum",
+      with_check_expression: "role = 'admin'::public.user_role_enum",
+    });
+    const alterUsing = new AlterRlsPolicySetUsingExpression({
+      policy: mainPolicy,
+      usingExpression: branchPolicy.using_expression,
+    });
+    const alterWithCheck = new AlterRlsPolicySetWithCheckExpression({
+      policy: mainPolicy,
+      withCheckExpression: branchPolicy.with_check_expression,
+    });
+    const changes: Change[] = [
+      mockInvalidatingChange([
+        "column:public.solution_categories_with_policy.role",
+      ]),
+      alterUsing,
+      alterWithCheck,
+    ];
+    const mainCatalog = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...baseline,
+      tables: { [mainTable.stableId]: mainTable },
+      rlsPolicies: { [mainPolicy.stableId]: mainPolicy },
+      depends: [
+        {
+          dependent_stable_id: mainPolicy.stableId,
+          referenced_stable_id:
+            "column:public.solution_categories_with_policy.role",
+          deptype: "n",
+        },
+      ],
+    });
+    const branchCatalog = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...baseline,
+      tables: { [branchTable.stableId]: branchTable },
+      rlsPolicies: { [branchPolicy.stableId]: branchPolicy },
+      depends: [],
+    });
+
+    const expanded = expandReplaceDependencies({
+      changes,
+      mainCatalog,
+      branchCatalog,
+    });
+
+    expect(expanded.changes.some((c) => c instanceof DropRlsPolicy)).toBe(true);
+    expect(expanded.changes.some((c) => c instanceof CreateRlsPolicy)).toBe(
+      true,
+    );
+    expect(expanded.changes).not.toContain(alterUsing);
+    expect(expanded.changes).not.toContain(alterWithCheck);
+  });
 });