test

soedirgo · soedirgo · commit 169df475e13c · 2024-08-09T14:47:02.000+08:00
diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh
@@ -538,25 +538,24 @@ begin
     if obj->>'owner' = 'postgres' then
       execute(format('alter schema %s owner to postgres;', (obj->>'oid')::regnamespace));
     end if;
-    update pg_namespace set nspacl = (obj->>'acl')::aclitem[] where oid = (obj->>'oid')::regnamespace;
-    -- for rec in
-    --   select grantor, grantee, privilege_type, is_grantable
-    --   from aclexplode((obj->>'acl')::aclitem[])
-    --   where grantee::regrole in ('postgres', 'supabase_admin')
-    -- loop
-    --   execute(format('revoke %s on schema %s from %I', rec.privilege_type, (obj->>'oid')::regnamespace, case when rec.grantee = 'postgres'::regrole then 'supabase_admin' else 'postgres' end));
-    -- end loop;
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+      where grantee::regrole in ('postgres', 'supabase_admin')
+    loop
+      execute(format('revoke %s on schema %s from %I', rec.privilege_type, (obj->>'oid')::regnamespace, case when rec.grantee = 'postgres'::regrole then 'supabase_admin' else 'postgres' end));
+    end loop;
+  end loop;
+  foreach obj in array schemas
+  loop
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+      where grantee::regrole in ('postgres', 'supabase_admin')
+    loop
+      execute(format('grant %s on schema %s to %I %s', rec.privilege_type, (obj->>'oid')::regnamespace, rec.grantee::regrole, case when rec.is_grantable then 'with grant option' else '' end));
+    end loop;
   end loop;
-  -- foreach obj in array schemas
-  -- loop
-  --   for rec in
-  --     select grantor, grantee, privilege_type, is_grantable
-  --     from aclexplode((obj->>'acl')::aclitem[])
-  --     where grantee::regrole in ('postgres', 'supabase_admin')
-  --   loop
-  --     execute(format('grant %s on schema %s to %I', rec.privilege_type, (obj->>'oid')::regnamespace, rec.grantee::regrole));
-  --   end loop;
-  -- end loop;
 
   -- types
   foreach obj in array types
@@ -567,9 +566,19 @@ begin
     for rec in
       select grantor, grantee, privilege_type, is_grantable
       from aclexplode((obj->>'acl')::aclitem[])
-      where grantee = 'postgres'::regrole
+      where grantee::regrole in ('postgres', 'supabase_admin')
     loop
-      execute(format('grant %s on type %s to postgres %s', rec.privilege_type, (obj->>'oid')::regtype, case when rec.is_grantable then 'with grant option' else '' end));
+      execute(format('revoke %s on type %s from %I', rec.privilege_type, (obj->>'oid')::regtype, case when rec.grantee = 'postgres'::regrole then 'supabase_admin' else 'postgres' end));
+    end loop;
+  end loop;
+  foreach obj in array types
+  loop
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+      where grantee::regrole in ('postgres', 'supabase_admin')
+    loop
+      execute(format('grant %s on type %s to %I %s', rec.privilege_type, (obj->>'oid')::regtype, rec.grantee::regrole, case when rec.is_grantable then 'with grant option' else '' end));
     end loop;
   end loop;
 
@@ -582,9 +591,19 @@ begin
     for rec in
       select grantor, grantee, privilege_type, is_grantable
       from aclexplode((obj->>'acl')::aclitem[])
-      where grantee = 'postgres'::regrole
+      where grantee::regrole in ('postgres', 'supabase_admin')
+    loop
+      execute(format('revoke %s on function %s(%s) from %I', rec.privilege_type, (obj->>'oid')::regproc, pg_get_function_identity_arguments((obj->>'oid')::regproc), case when rec.grantee = 'postgres'::regrole then 'supabase_admin' else 'postgres' end));
+    end loop;
+  end loop;
+  foreach obj in array functions
+  loop
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+      where grantee::regrole in ('postgres', 'supabase_admin')
     loop
-      execute(format('grant %s on function %s(%s) to postgres %s', rec.privilege_type, (obj->>'oid')::regproc, pg_get_function_identity_arguments((obj->>'oid')::regproc), case when rec.is_grantable then 'with grant option' else '' end));
+      execute(format('grant %s on function %s(%s) to %I %s', rec.privilege_type, (obj->>'oid')::regproc, pg_get_function_identity_arguments((obj->>'oid')::regproc), rec.grantee::regrole, case when rec.is_grantable then 'with grant option' else '' end));
     end loop;
   end loop;
 
@@ -599,9 +618,21 @@ begin
     for rec in
       select grantor, grantee, privilege_type, is_grantable
       from aclexplode((obj->>'acl')::aclitem[])
-      where grantee = 'postgres'::regrole
+      where grantee::regrole in ('postgres', 'supabase_admin')
+    loop
+      execute(format('revoke %s on table %s from %I', rec.privilege_type, (obj->>'oid')::oid::regclass, case when rec.grantee = 'postgres'::regrole then 'supabase_admin' else 'postgres' end));
+    end loop;
+  end loop;
+  foreach obj in array relations
+  loop
+    -- obj->>'oid' (text) needs to be casted to oid first for some reason
+
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+      where grantee::regrole in ('postgres', 'supabase_admin')
     loop
-      execute(format('grant %s on table %s to postgres %s', rec.privilege_type, (obj->>'oid')::oid::regclass, case when rec.is_grantable then 'with grant option' else '' end));
+      execute(format('grant %s on table %s to %I %s', rec.privilege_type, (obj->>'oid')::oid::regclass, rec.grantee::regrole, case when rec.is_grantable then 'with grant option' else '' end));
     end loop;
   end loop;
 end
