npm - pgsql-test - Versions diffs - 2.11.4 → 2.11.6 - Mend

pgsql-test 2.11.4 → 2.11.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/admin.js CHANGED Viewed

@@ -97,7 +97,33 @@ class DbAdmin {
     }
     async grantRole(role, user, dbName) {
         const db = dbName ?? this.config.database;
-        const sql = `GRANT ${role} TO ${user};`;
+        const sql = `
+DO $$
+DECLARE
+  v_user TEXT := '${user.replace(/'/g, "''")}';
+  v_role TEXT := '${role.replace(/'/g, "''")}';
+BEGIN
+  -- Pre-check to avoid unnecessary GRANTs; still catch TOCTOU under concurrency
+  IF NOT EXISTS (
+    SELECT 1 FROM pg_auth_members am
+    JOIN pg_roles r1 ON am.roleid = r1.oid
+    JOIN pg_roles r2 ON am.member = r2.oid
+    WHERE r1.rolname = v_role AND r2.rolname = v_user
+  ) THEN
+    BEGIN
+      EXECUTE format('GRANT %I TO %I', v_role, v_user);
+    EXCEPTION
+      WHEN unique_violation THEN
+        -- Concurrent membership grant; safe to ignore
+        NULL;
+      WHEN undefined_object THEN
+        -- Role or user missing; emit notice and continue
+        RAISE NOTICE 'Missing role when granting % to %', v_role, v_user;
+    END;
+  END IF;
+END
+$$;
+    `;
         await this.streamSql(sql, db);
     }
     async grantConnect(role, dbName) {
@@ -126,35 +152,55 @@ class DbAdmin {
             -- Role already exists; optionally sync attributes here with ALTER ROLE
             NULL;
         END;
-        -- Grant anonymous role if not already granted
+        -- CI/CD concurrency note: GRANT role membership can race on pg_auth_members unique index
+        -- We pre-check membership and still catch unique_violation to handle TOCTOU safely.
         IF NOT EXISTS (
-          SELECT 1 FROM pg_auth_members am
-          JOIN pg_roles r1 ON am.roleid = r1.oid
-          JOIN pg_roles r2 ON am.member = r2.oid
-          WHERE r1.rolname = '${anonRole}' AND r2.rolname = '${user}'
+          SELECT 1 FROM pg_auth_members am
+          JOIN pg_roles r1 ON am.roleid = r1.oid
+          JOIN pg_roles r2 ON am.member = r2.oid
+          WHERE r1.rolname = '${anonRole.replace(/'/g, "''")}' AND r2.rolname = v_user
         ) THEN
-          GRANT ${anonRole} TO ${user};
+          BEGIN
+            EXECUTE format('GRANT %I TO %I', '${anonRole.replace(/'/g, "''")}', v_user);
+          EXCEPTION
+            WHEN unique_violation THEN
+              NULL;
+            WHEN undefined_object THEN
+              RAISE NOTICE 'Missing role when granting % to %', '${anonRole.replace(/'/g, "''")}', v_user;
+          END;
         END IF;
-        -- Grant authenticated role if not already granted
         IF NOT EXISTS (
-          SELECT 1 FROM pg_auth_members am
-          JOIN pg_roles r1 ON am.roleid = r1.oid
-          JOIN pg_roles r2 ON am.member = r2.oid
-          WHERE r1.rolname = '${authRole}' AND r2.rolname = '${user}'
+          SELECT 1 FROM pg_auth_members am
+          JOIN pg_roles r1 ON am.roleid = r1.oid
+          JOIN pg_roles r2 ON am.member = r2.oid
+          WHERE r1.rolname = '${authRole.replace(/'/g, "''")}' AND r2.rolname = v_user
         ) THEN
-          GRANT ${authRole} TO ${user};
+          BEGIN
+            EXECUTE format('GRANT %I TO %I', '${authRole.replace(/'/g, "''")}', v_user);
+          EXCEPTION
+            WHEN unique_violation THEN
+              NULL;
+            WHEN undefined_object THEN
+              RAISE NOTICE 'Missing role when granting % to %', '${authRole.replace(/'/g, "''")}', v_user;
+          END;
         END IF;
-        -- Grant administrator role if not already granted
         IF NOT EXISTS (
-          SELECT 1 FROM pg_auth_members am
-          JOIN pg_roles r1 ON am.roleid = r1.oid
-          JOIN pg_roles r2 ON am.member = r2.oid
-          WHERE r1.rolname = '${adminRole}' AND r2.rolname = '${user}'
+          SELECT 1 FROM pg_auth_members am
+          JOIN pg_roles r1 ON am.roleid = r1.oid
+          JOIN pg_roles r2 ON am.member = r2.oid
+          WHERE r1.rolname = '${adminRole.replace(/'/g, "''")}' AND r2.rolname = v_user
         ) THEN
-          GRANT ${adminRole} TO ${user};
+          BEGIN
+            EXECUTE format('GRANT %I TO %I', '${adminRole.replace(/'/g, "''")}', v_user);
+          EXCEPTION
+            WHEN unique_violation THEN
+              NULL;
+            WHEN undefined_object THEN
+              RAISE NOTICE 'Missing role when granting % to %', '${adminRole.replace(/'/g, "''")}', v_user;
+          END;
         END IF;
       END $$;
     `.trim();

package/esm/admin.js CHANGED Viewed

@@ -94,7 +94,33 @@ export class DbAdmin {
     }
     async grantRole(role, user, dbName) {
         const db = dbName ?? this.config.database;
-        const sql = `GRANT ${role} TO ${user};`;
+        const sql = `
+DO $$
+DECLARE
+  v_user TEXT := '${user.replace(/'/g, "''")}';
+  v_role TEXT := '${role.replace(/'/g, "''")}';
+BEGIN
+  -- Pre-check to avoid unnecessary GRANTs; still catch TOCTOU under concurrency
+  IF NOT EXISTS (
+    SELECT 1 FROM pg_auth_members am
+    JOIN pg_roles r1 ON am.roleid = r1.oid
+    JOIN pg_roles r2 ON am.member = r2.oid
+    WHERE r1.rolname = v_role AND r2.rolname = v_user
+  ) THEN
+    BEGIN
+      EXECUTE format('GRANT %I TO %I', v_role, v_user);
+    EXCEPTION
+      WHEN unique_violation THEN
+        -- Concurrent membership grant; safe to ignore
+        NULL;
+      WHEN undefined_object THEN
+        -- Role or user missing; emit notice and continue
+        RAISE NOTICE 'Missing role when granting % to %', v_role, v_user;
+    END;
+  END IF;
+END
+$$;
+    `;
         await this.streamSql(sql, db);
     }
     async grantConnect(role, dbName) {
@@ -123,35 +149,55 @@ export class DbAdmin {
             -- Role already exists; optionally sync attributes here with ALTER ROLE
             NULL;
         END;
-        -- Grant anonymous role if not already granted
+        -- CI/CD concurrency note: GRANT role membership can race on pg_auth_members unique index
+        -- We pre-check membership and still catch unique_violation to handle TOCTOU safely.
         IF NOT EXISTS (
-          SELECT 1 FROM pg_auth_members am
-          JOIN pg_roles r1 ON am.roleid = r1.oid
-          JOIN pg_roles r2 ON am.member = r2.oid
-          WHERE r1.rolname = '${anonRole}' AND r2.rolname = '${user}'
+          SELECT 1 FROM pg_auth_members am
+          JOIN pg_roles r1 ON am.roleid = r1.oid
+          JOIN pg_roles r2 ON am.member = r2.oid
+          WHERE r1.rolname = '${anonRole.replace(/'/g, "''")}' AND r2.rolname = v_user
         ) THEN
-          GRANT ${anonRole} TO ${user};
+          BEGIN
+            EXECUTE format('GRANT %I TO %I', '${anonRole.replace(/'/g, "''")}', v_user);
+          EXCEPTION
+            WHEN unique_violation THEN
+              NULL;
+            WHEN undefined_object THEN
+              RAISE NOTICE 'Missing role when granting % to %', '${anonRole.replace(/'/g, "''")}', v_user;
+          END;
         END IF;
-        -- Grant authenticated role if not already granted
         IF NOT EXISTS (
-          SELECT 1 FROM pg_auth_members am
-          JOIN pg_roles r1 ON am.roleid = r1.oid
-          JOIN pg_roles r2 ON am.member = r2.oid
-          WHERE r1.rolname = '${authRole}' AND r2.rolname = '${user}'
+          SELECT 1 FROM pg_auth_members am
+          JOIN pg_roles r1 ON am.roleid = r1.oid
+          JOIN pg_roles r2 ON am.member = r2.oid
+          WHERE r1.rolname = '${authRole.replace(/'/g, "''")}' AND r2.rolname = v_user
         ) THEN
-          GRANT ${authRole} TO ${user};
+          BEGIN
+            EXECUTE format('GRANT %I TO %I', '${authRole.replace(/'/g, "''")}', v_user);
+          EXCEPTION
+            WHEN unique_violation THEN
+              NULL;
+            WHEN undefined_object THEN
+              RAISE NOTICE 'Missing role when granting % to %', '${authRole.replace(/'/g, "''")}', v_user;
+          END;
         END IF;
-        -- Grant administrator role if not already granted
         IF NOT EXISTS (
-          SELECT 1 FROM pg_auth_members am
-          JOIN pg_roles r1 ON am.roleid = r1.oid
-          JOIN pg_roles r2 ON am.member = r2.oid
-          WHERE r1.rolname = '${adminRole}' AND r2.rolname = '${user}'
+          SELECT 1 FROM pg_auth_members am
+          JOIN pg_roles r1 ON am.roleid = r1.oid
+          JOIN pg_roles r2 ON am.member = r2.oid
+          WHERE r1.rolname = '${adminRole.replace(/'/g, "''")}' AND r2.rolname = v_user
         ) THEN
-          GRANT ${adminRole} TO ${user};
+          BEGIN
+            EXECUTE format('GRANT %I TO %I', '${adminRole.replace(/'/g, "''")}', v_user);
+          EXCEPTION
+            WHEN unique_violation THEN
+              NULL;
+            WHEN undefined_object THEN
+              RAISE NOTICE 'Missing role when granting % to %', '${adminRole.replace(/'/g, "''")}', v_user;
+          END;
         END IF;
       END $$;
     `.trim();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pgsql-test",
-  "version": "2.11.4",
+  "version": "2.11.6",
   "author": "Dan Lynch <pyramation@gmail.com>",
   "description": "pgsql-test offers isolated, role-aware, and rollback-friendly PostgreSQL environments for integration tests — giving developers realistic test coverage without external state pollution",
   "main": "index.js",
@@ -60,14 +60,14 @@
     "@types/pg-copy-streams": "^1.2.5"
   },
   "dependencies": {
-    "@launchql/core": "^2.11.4",
-    "@launchql/env": "^2.4.1",
-    "@launchql/server-utils": "^2.4.1",
-    "@launchql/types": "^2.6.0",
+    "@launchql/core": "^2.11.6",
+    "@launchql/env": "^2.4.2",
+    "@launchql/server-utils": "^2.4.2",
+    "@launchql/types": "^2.6.1",
     "pg": "^8.16.0",
-    "pg-cache": "^1.3.2",
+    "pg-cache": "^1.3.3",
     "pg-copy-streams": "^6.0.6",
     "pg-env": "^1.1.0"
   },
-  "gitHead": "57f8c45ad88b59a054b4d8a95d53cf7ef16b8d8a"
+  "gitHead": "0b26f726ac2ca19886af7553a06e95ce826d515b"
 }