orchid-orm 1.64.7 → 1.64.9

package/dist/migrations/index.js

@@ -2165,34 +2165,43 @@ const processTableChange = async (adapter, structureToAstCtx, dbStructure, domai
   }
 };
 
+const defaults = {
+  super: false,
+  inherit: false,
+  createRole: false,
+  createDb: false,
+  canLogin: false,
+  replication: false,
+  connLimit: -1,
+  bypassRls: false
+};
 const processRoles = async (ast, dbStructure, { verifying, internal: { roles } }) => {
   if (!dbStructure.roles || !roles) return;
-  const codeRoles = roles.map(
-    (role) => ({
-      super: false,
-      inherit: false,
-      createRole: false,
-      createDb: false,
-      canLogin: false,
-      replication: false,
-      connLimit: -1,
-      bypassRls: false,
-      ...role
-    })
-  );
+  const codeRoles = roles.map((role) => {
+    const { defaultPrivileges: _, ...roleWithoutPrivileges } = role;
+    return {
+      ...defaults,
+      ...roleWithoutPrivileges
+    };
+  });
   const found = /* @__PURE__ */ new Set();
   const dropRoles = [];
   for (const dbRole of dbStructure.roles) {
+    const {
+      // eslint-disable-next-line @typescript-eslint/no-unused-vars
+      defaultPrivileges: _,
+      ...dbRoleWithoutPrivileges
+    } = dbRole;
     const codeRole = codeRoles.find(
       (codeRole2) => dbRole.name === codeRole2.name
     );
     if (codeRole) {
       found.add(dbRole.name);
-      if (!pqb.deepCompare(dbRole, codeRole)) {
+      if (!pqb.deepCompare(dbRoleWithoutPrivileges, codeRole)) {
         ast.push({
           type: "changeRole",
           name: dbRole.name,
-          from: dbRole,
+          from: dbRoleWithoutPrivileges,
           to: codeRole
         });
       }
@@ -2249,6 +2258,349 @@ const makeRenameOrChangeAst = (dbRole, codeRole) => {
   }
 };
 
+const ALL_OBJECT_TYPES = [
+  "TABLES",
+  "SEQUENCES",
+  "FUNCTIONS",
+  "TYPES",
+  "SCHEMAS",
+  "LARGE_OBJECTS"
+];
+const createAllObjectConfigs = (isGrantable, schema, supportedPrivileges) => {
+  let types;
+  if (schema) {
+    types = ALL_OBJECT_TYPES.filter(
+      (t) => t !== "SCHEMAS" && t !== "LARGE_OBJECTS"
+    );
+  } else {
+    types = ALL_OBJECT_TYPES.filter((t) => {
+      if (t === "LARGE_OBJECTS") {
+        return supportedPrivileges.PRIVILEGES.LARGE_OBJECT !== void 0;
+      }
+      return true;
+    });
+  }
+  return types.map((object) => ({
+    object,
+    privilegeConfigs: [{ privilege: "ALL", isGrantable }]
+  }));
+};
+const objectTypeToKey = {
+  TABLES: "tables",
+  SEQUENCES: "sequences",
+  FUNCTIONS: "functions",
+  TYPES: "types",
+  SCHEMAS: "schemas",
+  LARGE_OBJECTS: "largeObjects"
+};
+const splitPrivilegeConfigs = (configs) => {
+  const regular = [];
+  const grantable = [];
+  for (const p of configs) {
+    if (p.isGrantable) {
+      grantable.push(p.privilege);
+    } else {
+      regular.push(p.privilege);
+    }
+  }
+  return { regular, grantable };
+};
+const createPrivilegeSetting = (regular, grantable) => {
+  const setting = {};
+  if (regular.length) setting.privileges = regular;
+  if (grantable.length) setting.grantablePrivileges = grantable;
+  return setting;
+};
+const collapsePrivileges = (privs, newPrivilegeConfigs, expectedPrivs, isGrantable) => {
+  const hasAll = privs.some((p) => p.privilege === "ALL");
+  const allPresent = hasAll || privs.length > 0 && privs.length === expectedPrivs.length && expectedPrivs.every((priv) => privs.some((p) => p.privilege === priv));
+  if (allPresent) {
+    newPrivilegeConfigs.push({ privilege: "ALL", isGrantable });
+  } else if (privs.length > 0) {
+    newPrivilegeConfigs.push(...privs);
+  }
+};
+const collapsePrivilegesToAll = (privilege, objectTypeToAllPrivileges) => {
+  const collapsedObjectConfigs = privilege.objectConfigs.map(
+    (objConfig) => {
+      const allPrivileges = objectTypeToAllPrivileges[objConfig.object];
+      const expectedPrivs = allPrivileges.filter((p) => p !== "ALL");
+      const regularPrivs = [];
+      const grantablePrivs = [];
+      for (const p of objConfig.privilegeConfigs) {
+        if (p.isGrantable) {
+          grantablePrivs.push(p);
+        } else {
+          regularPrivs.push(p);
+        }
+      }
+      const newPrivilegeConfigs = [];
+      collapsePrivileges(
+        regularPrivs,
+        newPrivilegeConfigs,
+        expectedPrivs,
+        false
+      );
+      collapsePrivileges(
+        grantablePrivs,
+        newPrivilegeConfigs,
+        expectedPrivs,
+        true
+      );
+      return {
+        object: objConfig.object,
+        privilegeConfigs: newPrivilegeConfigs
+      };
+    }
+  );
+  return {
+    owner: privilege.owner,
+    grantee: privilege.grantee,
+    schema: privilege.schema,
+    objectConfigs: collapsedObjectConfigs
+  };
+};
+const privilegeConfigsMatch = (a, b, objectType, objectTypeToAllPrivileges) => {
+  if (a.privilege === b.privilege && a.isGrantable === b.isGrantable) {
+    return true;
+  }
+  const allPrivileges = objectTypeToAllPrivileges[objectType];
+  const expectedPrivs = allPrivileges.filter((p) => p !== "ALL");
+  if (a.privilege === "ALL" && a.isGrantable === b.isGrantable) {
+    return expectedPrivs.includes(b.privilege);
+  }
+  if (b.privilege === "ALL" && a.isGrantable === b.isGrantable) {
+    return expectedPrivs.includes(a.privilege);
+  }
+  return false;
+};
+const normalizeRoleName = (name) => {
+  if (name.startsWith('"') && name.endsWith('"')) {
+    return name.slice(1, -1);
+  }
+  return name;
+};
+const processPrivilegeConfig = (config, objectType) => {
+  if (!config) return;
+  const privilegeConfigs = [];
+  if (config.privileges) {
+    for (const p of config.privileges) {
+      privilegeConfigs.push({ privilege: p, isGrantable: false });
+    }
+  }
+  if (config.grantablePrivileges) {
+    for (const p of config.grantablePrivileges) {
+      privilegeConfigs.push({ privilege: p, isGrantable: true });
+    }
+  }
+  if (privilegeConfigs.length) {
+    return { object: objectType, privilegeConfigs };
+  }
+  return;
+};
+const hasAnyPrivilege = (obj) => {
+  if (!obj) return false;
+  for (const key of ALL_OBJECT_TYPES) {
+    const setting = obj[objectTypeToKey[key]];
+    if (setting?.privileges?.length || setting?.grantablePrivileges?.length) {
+      return true;
+    }
+  }
+  return false;
+};
+const processDefaultPrivileges = (ast, dbStructure, { internal: { roles } }) => {
+  if (!dbStructure.defaultPrivileges || !roles) return;
+  const supportedPrivileges = pqb.getSupportedDefaultPrivileges(
+    dbStructure.version
+  );
+  const objectTypeToAllPrivileges = {};
+  objectTypeToAllPrivileges.TABLES = supportedPrivileges.PRIVILEGES.TABLE;
+  objectTypeToAllPrivileges.SEQUENCES = supportedPrivileges.PRIVILEGES.SEQUENCE;
+  objectTypeToAllPrivileges.FUNCTIONS = supportedPrivileges.PRIVILEGES.FUNCTION;
+  objectTypeToAllPrivileges.TYPES = supportedPrivileges.PRIVILEGES.TYPE;
+  objectTypeToAllPrivileges.SCHEMAS = supportedPrivileges.PRIVILEGES.SCHEMA;
+  if (supportedPrivileges.PRIVILEGES.LARGE_OBJECT) {
+    objectTypeToAllPrivileges.LARGE_OBJECTS = supportedPrivileges.PRIVILEGES.LARGE_OBJECT;
+  }
+  const codePrivileges = /* @__PURE__ */ new Map();
+  for (const role of roles) {
+    if (!role.defaultPrivileges) continue;
+    for (const privilege of role.defaultPrivileges) {
+      const key = `${role.name}.${privilege.schema}`;
+      const objectConfigs = [];
+      if (privilege.allGrantable) {
+        objectConfigs.push(
+          ...createAllObjectConfigs(
+            true,
+            privilege.schema,
+            supportedPrivileges
+          )
+        );
+      } else if (privilege.all) {
+        objectConfigs.push(
+          ...createAllObjectConfigs(
+            false,
+            privilege.schema,
+            supportedPrivileges
+          )
+        );
+      }
+      for (const objectType of ALL_OBJECT_TYPES) {
+        if (privilege.schema && (objectType === "SCHEMAS" || objectType === "LARGE_OBJECTS")) {
+          continue;
+        }
+        if (objectType === "LARGE_OBJECTS" && !supportedPrivileges.PRIVILEGES.LARGE_OBJECT) {
+          continue;
+        }
+        const key2 = objectTypeToKey[objectType];
+        if (key2 in privilege) {
+          const config = privilege[key2];
+          const processed = processPrivilegeConfig(config, objectType);
+          if (processed) {
+            const existingIndex = objectConfigs.findIndex(
+              (o) => o.object === objectType
+            );
+            if (existingIndex >= 0) {
+              objectConfigs[existingIndex] = processed;
+            } else {
+              objectConfigs.push(processed);
+            }
+          }
+        }
+      }
+      if (objectConfigs.length) {
+        codePrivileges.set(key, {
+          owner: void 0,
+          grantee: role.name,
+          schema: privilege.schema,
+          objectConfigs
+        });
+      }
+    }
+  }
+  const found = /* @__PURE__ */ new Set();
+  for (const dbPrivilege of dbStructure.defaultPrivileges) {
+    const grantee = normalizeRoleName(dbPrivilege.grantee);
+    if (grantee === "postgres") continue;
+    const key = `${grantee}.${dbPrivilege.schema}`;
+    const codePrivilege = codePrivileges.get(key);
+    if (codePrivilege) {
+      found.add(key);
+      const grant = {};
+      const revoke = {};
+      for (const objectType of ALL_OBJECT_TYPES) {
+        if (objectType === "LARGE_OBJECTS" && !supportedPrivileges.PRIVILEGES.LARGE_OBJECT) {
+          continue;
+        }
+        const dbObj = dbPrivilege.objectConfigs.find(
+          (o) => o.object === objectType
+        );
+        const codeObj = codePrivilege.objectConfigs.find(
+          (o) => o.object === objectType
+        );
+        const dbPrivs = dbObj?.privilegeConfigs ?? [];
+        const codePrivs = codeObj?.privilegeConfigs ?? [];
+        const collapsedDbPrivilege = {
+          owner: dbPrivilege.owner,
+          grantee: dbPrivilege.grantee,
+          schema: dbPrivilege.schema,
+          objectConfigs: [{ object: objectType, privilegeConfigs: dbPrivs }]
+        };
+        const collapsedDbObj = collapsePrivilegesToAll(
+          collapsedDbPrivilege,
+          objectTypeToAllPrivileges
+        ).objectConfigs[0];
+        const collapsedDbPrivs = collapsedDbObj?.privilegeConfigs ?? [];
+        const toGrant = codePrivs.filter(
+          (cp) => !collapsedDbPrivs.some(
+            (dp) => privilegeConfigsMatch(
+              cp,
+              dp,
+              objectType,
+              objectTypeToAllPrivileges
+            )
+          )
+        );
+        const toRevoke = dbPrivs.filter(
+          (dp) => !codePrivs.some(
+            (cp) => privilegeConfigsMatch(
+              cp,
+              dp,
+              objectType,
+              objectTypeToAllPrivileges
+            )
+          )
+        );
+        if (toGrant.length) {
+          const { regular, grantable } = splitPrivilegeConfigs(toGrant);
+          const setting = createPrivilegeSetting(regular, grantable);
+          if (setting.privileges || setting.grantablePrivileges) {
+            grant[objectTypeToKey[objectType]] = setting;
+          }
+        }
+        if (toRevoke.length) {
+          const { regular, grantable } = splitPrivilegeConfigs(toRevoke);
+          const setting = createPrivilegeSetting(regular, grantable);
+          if (setting.privileges || setting.grantablePrivileges) {
+            revoke[objectTypeToKey[objectType]] = setting;
+          }
+        }
+      }
+      const hasGrant = hasAnyPrivilege(grant);
+      const hasRevoke = hasAnyPrivilege(revoke);
+      if (hasGrant || hasRevoke) {
+        ast.push({
+          type: "defaultPrivilege",
+          grantee,
+          schema: dbPrivilege.schema,
+          grant: hasGrant ? grant : void 0,
+          revoke: hasRevoke ? revoke : void 0
+        });
+      }
+    } else {
+      const revoke = {};
+      for (const obj of dbPrivilege.objectConfigs) {
+        const { regular, grantable } = splitPrivilegeConfigs(
+          obj.privilegeConfigs
+        );
+        const setting = createPrivilegeSetting(regular, grantable);
+        if (setting.privileges || setting.grantablePrivileges) {
+          revoke[objectTypeToKey[obj.object]] = setting;
+        }
+      }
+      if (hasAnyPrivilege(revoke)) {
+        ast.push({
+          type: "defaultPrivilege",
+          grantee,
+          schema: dbPrivilege.schema,
+          revoke
+        });
+      }
+    }
+  }
+  for (const [key, codePrivilege] of codePrivileges) {
+    if (found.has(key)) continue;
+    const grant = {};
+    for (const obj of codePrivilege.objectConfigs) {
+      const { regular, grantable } = splitPrivilegeConfigs(
+        obj.privilegeConfigs
+      );
+      const setting = createPrivilegeSetting(regular, grantable);
+      if (setting.privileges || setting.grantablePrivileges) {
+        grant[objectTypeToKey[obj.object]] = setting;
+      }
+    }
+    if (hasAnyPrivilege(grant)) {
+      ast.push({
+        type: "defaultPrivilege",
+        grantee: codePrivilege.grantee,
+        schema: codePrivilege.schema,
+        grant
+      });
+    }
+  }
+};
+
 class PendingDbTypes {
   constructor() {
     this.set = /* @__PURE__ */ new Set();
@@ -2260,6 +2612,7 @@ class PendingDbTypes {
 const composeMigration = async (adapter, config, ast, dbStructure, params) => {
   const { structureToAstCtx, currentSchema } = params;
   await processRoles(ast, dbStructure, params);
+  processDefaultPrivileges(ast, dbStructure, params);
   const domainsMap = rakeDb.makeDomainsMap(structureToAstCtx, dbStructure);
   await processSchemas(ast, dbStructure, params);
   processExtensions(ast, dbStructure, params);
@@ -2286,7 +2639,7 @@ const composeMigration = async (adapter, config, ast, dbStructure, params) => {
 };
 
 const rollbackErr = new Error("Rollback");
-const verifyMigration = async (adapter, config, migrationCode, generateMigrationParams, roles) => {
+const verifyMigration = async (adapter, config, migrationCode, generateMigrationParams, roles, defaultPrivileges) => {
   const migrationFn = new Function("change", migrationCode);
   let code;
   try {
@@ -2303,7 +2656,8 @@ const verifyMigration = async (adapter, config, migrationCode, generateMigration
         await changeFn(db, true);
       }
       const dbStructure = await rakeDb.introspectDbSchema(trx, {
-        roles
+        roles,
+        loadDefaultPrivileges: defaultPrivileges?.loadDefaultPrivileges
       });
       generateMigrationParams.verifying = true;
       try {
@@ -2632,12 +2986,59 @@ const report = (ast, config, currentSchema) => {
         );
         break;
       case "renameRole":
-        code.push(
-          `${yellow("~ rename role")} ${a.from} ${yellow("=>")} ${a.to}`
-        );
-        break;
       case "changeRole": {
-        code.push(`${yellow("~ change role")} ${a.name}`);
+        if (a.type === "renameRole") {
+          code.push(
+            `${yellow("~ rename role")} ${a.from} ${yellow("=>")} ${a.to}`
+          );
+        } else {
+          code.push(`${yellow("~ change role")} ${a.name}`);
+        }
+        break;
+      }
+      case "defaultPrivilege": {
+        const mapPrivilege = (p) => p === "ALL" ? "ALL PRIVILEGES" : p;
+        const schema = a.schema ? ` in schema ${pqb.colors.pale(a.schema)}` : ` ${pqb.colors.pale("in all schemas")}`;
+        const parts = [];
+        if (a.grant) {
+          for (const [objType, config2] of Object.entries(a.grant)) {
+            if (!config2) continue;
+            const type = objType.replace(/([A-Z])/g, " $1").toLowerCase();
+            if (config2.privileges?.length) {
+              parts.push(
+                `${green("+ grant default privileges")} ${config2.privileges.map(mapPrivilege).join(", ")} on ${type} to ${a.grantee}${schema}`
+              );
+            }
+            if (config2.grantablePrivileges?.length) {
+              parts.push(
+                `${green(
+                  "+ grant default privileges"
+                )} ${config2.grantablePrivileges.map(mapPrivilege).join(", ")} on ${type} with grant option to ${a.grantee}${schema}`
+              );
+            }
+          }
+        }
+        if (a.revoke) {
+          for (const [objType, config2] of Object.entries(a.revoke)) {
+            if (!config2) continue;
+            const type = objType.replace(/([A-Z])/g, " $1").toLowerCase();
+            if (config2.privileges?.length) {
+              parts.push(
+                `${red("- revoke default privileges")} ${config2.privileges.map(mapPrivilege).join(", ")} on ${type} from ${a.grantee}${schema}`
+              );
+            }
+            if (config2.grantablePrivileges?.length) {
+              parts.push(
+                `${red(
+                  "- revoke default privileges"
+                )} ${config2.grantablePrivileges.map(mapPrivilege).join(", ")} on ${type} with grant option from ${a.grantee}${schema}`
+              );
+            }
+          }
+        }
+        if (parts.length) {
+          code.push(parts.join("\n"));
+        }
         break;
       }
       default:
@@ -2676,6 +3077,7 @@ const generate = async (adapters, config, args, afterPull) => {
     adapters,
     config,
     rolesDbStructureParam,
+    internal.roles ? { loadDefaultPrivileges: true } : void 0,
     afterPull
   );
   const [adapter] = adapters;
@@ -2717,7 +3119,8 @@ const generate = async (adapters, config, args, afterPull) => {
       config,
       migrationCode,
       generateMigrationParams,
-      rolesDbStructureParam
+      rolesDbStructureParam,
+      internal.roles ? { loadDefaultPrivileges: true } : void 0
     );
     if (result !== void 0) {
       throw new Error(
@@ -2775,10 +3178,12 @@ const getDbFromConfig = async (config, dbPath) => {
   }
   return db;
 };
-const migrateAndPullStructures = async (adapters, config, roles, afterPull) => {
+const migrateAndPullStructures = async (adapters, config, roles, defaultPrivileges, afterPull) => {
   if (afterPull) {
+    const version = await rakeDb.getDbVersion(adapters[0]);
     return {
       dbStructure: {
+        version,
         schemas: [],
         tables: [],
         views: [],
@@ -2799,7 +3204,8 @@ const migrateAndPullStructures = async (adapters, config, roles, afterPull) => {
   const dbStructures = await Promise.all(
     adapters.map(
       (adapter) => rakeDb.introspectDbSchema(adapter, {
-        roles
+        roles,
+        loadDefaultPrivileges: defaultPrivileges?.loadDefaultPrivileges
       })
     )
   );
@@ -2852,6 +3258,7 @@ const getActualItems = async (db, currentSchema, internal, columnTypes) => {
     tables: [],
     domains: []
   };
+  codeItems.schemas.add(currentSchema);
   const domains = /* @__PURE__ */ new Map();
   for (const key in db) {
     if (key[0] === "$") continue;
@@ -2926,6 +3333,15 @@ const getActualItems = async (db, currentSchema, internal, columnTypes) => {
     codeItems.schemas.add(domain.schemaName);
     codeItems.domains.push(domain);
   }
+  if (internal.roles) {
+    for (const role of internal.roles) {
+      if (role.defaultPrivileges) {
+        for (const privilege of role.defaultPrivileges) {
+          if (privilege.schema) codeItems.schemas.add(privilege.schema);
+        }
+      }
+    }
+  }
   return codeItems;
 };
 const processEnumColumn = (column, currentSchema, codeItems) => {