Add settings for queues: toggle expose through postgrest + permissions via table privileges (supabase#30564)

* Add settings for queues: toggle expose through postgrest + permissions via table privileges

* Ensure appropriate grants are granted when toggling, and revoked when disabling

* Update to use queues_public schema

* Update queue schema to pgmq_public and add/remove from data api when enabling/disabling

* Fix query for retrieving toggle state

* Add schema invalidation

* Remove hard code

* Use QueuesSettings from Queues folder, remove from NewQueues

* Update SQL for toggling exposure + support RLS enabling

* Support toggling RLS for a queue

* Update admonition copy in queues for enabling/disable postgrest exposure

* Add custom RLS policy for queue

* Minor style fixes

* Fix

* Remove hard code

* Update RLS to add message regarding relevancy only if exposure to PostgREST is enabled

* Update message in exposing queues to postgREST

* Address feedback

* Address feedback

* Don't revoke postgres role stuff

* Remove hard code

* Update copy

* Update

* Address Oli's feedback, ensure that queues ALL have RLS enabled prior to allowing exposure to PostgREST

* Address remaining feedback

* Remove hardcode

* Update

* Address feedback

Author: joshenlim

apps/studio/components/interfaces/Auth/Policies/AIPolicyEditorPanel/PolicyTemplates.tsx

@@ -10,6 +10,7 @@ import CopyButton from 'components/ui/CopyButton'
 import NoSearchResults from 'components/ui/NoSearchResults'
 import {
   getGeneralPolicyTemplates,
+  getQueuePolicyTemplates,
   getRealtimePolicyTemplates,
 } from '../PolicyEditorModal/PolicyEditorModal.constants'
 
@@ -33,7 +34,9 @@ export const PolicyTemplates = ({
   const templates =
     schema === 'realtime'
       ? getRealtimePolicyTemplates()
-      : getGeneralPolicyTemplates(schema, table.length > 0 ? table : 'table_name')
+      : schema === 'pgmq'
+        ? getQueuePolicyTemplates()
+        : getGeneralPolicyTemplates(schema, table.length > 0 ? table : 'table_name')
 
   const baseTemplates =
     selectedPolicy !== undefined

apps/studio/components/interfaces/Auth/Policies/PolicyEditorModal/PolicyEditorModal.constants.ts

@@ -326,3 +326,21 @@ with check ( realtime.messages.extension = 'presence' AND realtime.topic() = 'ch
   ] as PolicyTemplate[]
   return results
 }
+
+export const getQueuePolicyTemplates = (): PolicyTemplate[] => {
+  return [
+    {
+      id: 'policy-queues-1',
+      preview: false,
+      templateName: 'Allow access to queue',
+      statement: ``.trim(),
+      name: 'Allow anon and authenticated to access messages from queue',
+      description:
+        'Base policy to ensure that anon and authenticated can only access appropriate rows. USING and CHECK statements will need to be adjusted accordingly',
+      definition: 'true',
+      check: 'true',
+      command: 'ALL',
+      roles: ['anon', 'authenticated'],
+    },
+  ]
+}

apps/studio/components/interfaces/Auth/Policies/PolicyTableRow/PolicyRow.tsx

@@ -62,37 +62,43 @@ const PolicyRow = ({
         'w-full last:border-0 space-x-4 border-b py-4 lg:items-center'
       )}
     >
-      <div className="flex grow flex-col space-y-1">
-        <div className="flex items-center space-x-4">
-          <p className="font-mono text-xs text-foreground-light">{policy.command}</p>
-          <p className="text-sm text-foreground">{policy.name}</p>
+      <div className="flex grow flex-col gap-y-1">
+        <div className="flex items-start gap-x-4">
+          <p className="font-mono text-xs text-foreground-light translate-y-[2px] min-w-12">
+            {policy.command}
+          </p>
+
+          <div className="flex flex-col gap-y-1">
+            <p className="text-sm text-foreground">{policy.name}</p>
+            <div className="flex items-center gap-x-1">
+              <div className="text-foreground-lighter text-sm">
+                Applied to:
+                {policy.roles.slice(0, 3).map((role, i) => (
+                  <code key={`policy-${role}-${i}`} className="text-foreground-light text-xs">
+                    {role}
+                  </code>
+                ))}{' '}
+                role
+              </div>
+              {policy.roles.length > 3 && (
+                <Tooltip_Shadcn_>
+                  <TooltipTrigger_Shadcn_ asChild>
+                    <code key="policy-etc" className="text-foreground-light text-xs">
+                      + {policy.roles.length - 3} more roles
+                    </code>
+                  </TooltipTrigger_Shadcn_>
+                  <TooltipContent_Shadcn_ side="bottom" align="center">
+                    {policy.roles.slice(3).join(', ')}
+                  </TooltipContent_Shadcn_>
+                </Tooltip_Shadcn_>
+              )}
+            </div>
+          </div>
+
           {appliesToAnonymousUsers ? (
             <Badge color="yellow">Applies to anonymous users</Badge>
           ) : null}
         </div>
-        <div className="flex items-center gap-x-1 ml-[60px]">
-          <div className="text-foreground-lighter text-sm">
-            Applied to:
-            {policy.roles.slice(0, 3).map((role, i) => (
-              <code key={`policy-${role}-${i}`} className="text-foreground-light text-xs">
-                {role}
-              </code>
-            ))}{' '}
-            role
-          </div>
-          {policy.roles.length > 3 && (
-            <Tooltip_Shadcn_>
-              <TooltipTrigger_Shadcn_ asChild>
-                <code key="policy-etc" className="text-foreground-light text-xs">
-                  + {policy.roles.length - 3} more roles
-                </code>
-              </TooltipTrigger_Shadcn_>
-              <TooltipContent_Shadcn_ side="bottom" align="center">
-                {policy.roles.slice(3).join(', ')}
-              </TooltipContent_Shadcn_>
-            </Tooltip_Shadcn_>
-          )}
-        </div>
       </div>
       <div>
         {!isLocked && (

apps/studio/components/interfaces/Database/EnumeratedTypes/EnumeratedTypes.tsx

@@ -13,7 +13,7 @@ import {
   useEnumeratedTypesQuery,
 } from 'data/enumerated-types/enumerated-types-query'
 import { useQuerySchemaState } from 'hooks/misc/useSchemaQueryState'
-import { EXCLUDED_SCHEMAS } from 'lib/constants/schemas'
+import { PROTECTED_SCHEMAS } from 'lib/constants/schemas'
 import {
   Button,
   DropdownMenu,
@@ -53,7 +53,7 @@ const EnumeratedTypes = () => {
       : enumeratedTypes.filter((x) => x.schema === selectedSchema)
 
   const protectedSchemas = (schemas ?? []).filter((schema) =>
-    EXCLUDED_SCHEMAS.includes(schema?.name ?? '')
+    PROTECTED_SCHEMAS.includes(schema?.name ?? '')
   )
   const schema = schemas?.find((schema) => schema.name === selectedSchema)
   const isLocked = protectedSchemas.some((s) => s.id === schema?.id)

apps/studio/components/interfaces/Database/Functions/CreateFunction/index.tsx

@@ -13,7 +13,7 @@ import { useDatabaseExtensionsQuery } from 'data/database-extensions/database-ex
 import { useDatabaseFunctionCreateMutation } from 'data/database-functions/database-functions-create-mutation'
 import { DatabaseFunction } from 'data/database-functions/database-functions-query'
 import { useDatabaseFunctionUpdateMutation } from 'data/database-functions/database-functions-update-mutation'
-import { EXCLUDED_SCHEMAS } from 'lib/constants/schemas'
+import { PROTECTED_SCHEMAS } from 'lib/constants/schemas'
 import type { FormSchema } from 'types'
 import {
   Button,
@@ -203,7 +203,7 @@ const CreateFunction = ({ func, visible, setVisible }: CreateFunctionProps) => {
                       <FormControl_Shadcn_>
                         <SchemaSelector
                           selectedSchemaName={field.value}
-                          excludedSchemas={EXCLUDED_SCHEMAS}
+                          excludedSchemas={PROTECTED_SCHEMAS}
                           size="small"
                           onSelectSchema={(name) => field.onChange(name)}
                         />

apps/studio/components/interfaces/Database/Functions/FunctionsList/FunctionsList.tsx

@@ -17,7 +17,7 @@ import { useDatabaseFunctionsQuery } from 'data/database-functions/database-func
 import { useSchemasQuery } from 'data/database/schemas-query'
 import { useCheckPermissions } from 'hooks/misc/useCheckPermissions'
 import { useQuerySchemaState } from 'hooks/misc/useSchemaQueryState'
-import { EXCLUDED_SCHEMAS } from 'lib/constants/schemas'
+import { PROTECTED_SCHEMAS } from 'lib/constants/schemas'
 import { useAppStateSnapshot } from 'state/app-state'
 import { AiIconAnimation, Input } from 'ui'
 import ProtectedSchemaWarning from '../../ProtectedSchemaWarning'
@@ -63,7 +63,7 @@ const FunctionsList = ({
     connectionString: project?.connectionString,
   })
   const [protectedSchemas] = partition(schemas ?? [], (schema) =>
-    EXCLUDED_SCHEMAS.includes(schema?.name ?? '')
+    PROTECTED_SCHEMAS.includes(schema?.name ?? '')
   )
   const foundSchema = schemas?.find((schema) => schema.name === selectedSchema)
   const isLocked = protectedSchemas.some((s) => s.id === foundSchema?.id)

apps/studio/components/interfaces/Database/Indexes/Indexes.tsx

@@ -13,7 +13,7 @@ import { DatabaseIndex, useIndexesQuery } from 'data/database/indexes-query'
 import { useSchemasQuery } from 'data/database/schemas-query'
 import { useExecuteSqlMutation } from 'data/sql/execute-sql-mutation'
 import { useQuerySchemaState } from 'hooks/misc/useSchemaQueryState'
-import { EXCLUDED_SCHEMAS } from 'lib/constants/schemas'
+import { PROTECTED_SCHEMAS } from 'lib/constants/schemas'
 import { AlertCircle, Search, Trash } from 'lucide-react'
 import { Button, Input, SidePanel } from 'ui'
 import ConfirmationModal from 'ui-patterns/Dialogs/ConfirmationModal'
@@ -64,7 +64,7 @@ const Indexes = () => {
   })
 
   const [protectedSchemas] = partition(schemas ?? [], (schema) =>
-    EXCLUDED_SCHEMAS.includes(schema?.name ?? '')
+    PROTECTED_SCHEMAS.includes(schema?.name ?? '')
   )
   const schema = schemas?.find((schema) => schema.name === selectedSchema)
   const isLocked = protectedSchemas.some((s) => s.id === schema?.id)

apps/studio/components/interfaces/Database/ProtectedSchemaWarning.tsx

@@ -1,7 +1,7 @@
 import { useState } from 'react'
 import { AlertDescription_Shadcn_, AlertTitle_Shadcn_, Alert_Shadcn_, Button, Modal } from 'ui'
 
-import { EXCLUDED_SCHEMAS } from 'lib/constants/schemas'
+import { PROTECTED_SCHEMAS } from 'lib/constants/schemas'
 import { AlertCircle } from 'lucide-react'
 
 export const ProtectedSchemaModal = ({
@@ -31,7 +31,7 @@ export const ProtectedSchemaModal = ({
           access through the dashboard.
         </p>
         <div className="flex flex-wrap gap-1">
-          {EXCLUDED_SCHEMAS.map((schema) => (
+          {PROTECTED_SCHEMAS.map((schema) => (
             <code key={schema} className="text-xs">
               {schema}
             </code>

apps/studio/components/interfaces/Database/Publications/PublicationsTables.tsx

@@ -10,7 +10,7 @@ import InformationBox from 'components/ui/InformationBox'
 import { Loading } from 'components/ui/Loading'
 import { useTablesQuery } from 'data/tables/tables-query'
 import { useCheckPermissions } from 'hooks/misc/useCheckPermissions'
-import { EXCLUDED_SCHEMAS } from 'lib/constants/schemas'
+import { PROTECTED_SCHEMAS } from 'lib/constants/schemas'
 import { Button, Input } from 'ui'
 import PublicationsTableItem from './PublicationsTableItem'
 import { ChevronLeft, Search, AlertCircle } from 'lucide-react'
@@ -44,8 +44,8 @@ const PublicationsTables = ({ selectedPublication, onSelectBack }: PublicationsT
       select(tables) {
         return tables.filter((table) =>
           filterString.length === 0
-            ? !EXCLUDED_SCHEMAS.includes(table.schema)
-            : !EXCLUDED_SCHEMAS.includes(table.schema) && table.name.includes(filterString)
+            ? !PROTECTED_SCHEMAS.includes(table.schema)
+            : !PROTECTED_SCHEMAS.includes(table.schema) && table.name.includes(filterString)
         )
       },
     }

apps/studio/components/interfaces/Database/Tables/ColumnList.tsx

@@ -15,7 +15,7 @@ import { GenericSkeletonLoader } from 'components/ui/ShimmeringLoader'
 import { useTableEditorQuery } from 'data/table-editor/table-editor-query'
 import { isTableLike } from 'data/table-editor/table-editor-types'
 import { useCheckPermissions } from 'hooks/misc/useCheckPermissions'
-import { EXCLUDED_SCHEMAS } from 'lib/constants/schemas'
+import { PROTECTED_SCHEMAS } from 'lib/constants/schemas'
 import {
   Button,
   DropdownMenu,
@@ -61,7 +61,7 @@ const ColumnList = ({
       ? selectedTable?.columns ?? []
       : selectedTable?.columns?.filter((column: any) => column.name.includes(filterString))) ?? []
 
-  const isLocked = EXCLUDED_SCHEMAS.includes(selectedTable?.schema ?? '')
+  const isLocked = PROTECTED_SCHEMAS.includes(selectedTable?.schema ?? '')
   const canUpdateColumns = useCheckPermissions(PermissionAction.TENANT_SQL_ADMIN_WRITE, 'columns')
 
   return (