feat:

limit using verison in extension creation to admin user for all extensions
by using supautils and before-create hooks
add test for this in pg_net

Author: samrose

ansible/files/postgresql_extension_custom_scripts/before-create.sql

@@ -13,7 +13,21 @@ declare
   _extversion text := @extversion@;
   _extcascade bool := @extcascade@;
   _r record;
+  _session_role text := session_user;
 begin
+  -- Check if VERSION is specified by non-superuser for any extension
+  if _extversion is not null then
+    -- Check if the session user (not current user) is not a superuser or supabase_admin
+    if not exists (
+      select 1 
+      from pg_roles 
+      where rolname = _session_role 
+      and (rolsuper = true or rolname = 'supabase_admin')
+    ) then
+      raise exception 'Only administrators can specify VERSION when creating extensions. Please use: CREATE EXTENSION % WITH SCHEMA %;', _extname, coalesce(_extschema, 'extensions');
+    end if;
+  end if;
+
   if not _extcascade then
     return;
   end if;

ansible/vars.yml

@@ -9,9 +9,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.5.1.018-orioledb"
-  postgres17: "17.4.1.075"
-  postgres15: "15.8.1.132"
+  postgresorioledb-17: "17.5.1.018-orioledb-pgnet-2"
+  postgres17: "17.4.1.075-pgnet-2"
+  postgres15: "15.8.1.132-pgnet-2"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"

nix/ext/pg_net.nix

@@ -101,8 +101,7 @@ let
       buildInputs = [
         curl
         postgresql
-      ]
-      ++ lib.optional (version == "0.6") libuv;
+      ] ++ lib.optional (version == "0.6") libuv;
 
       src = fetchFromGitHub {
         owner = "supabase";

nix/tests/expected/pg_net.out

@@ -1,3 +1,72 @@
+-- Test VERSION restriction for non-superuser accounts
+-- First, ensure pg_net is not installed
+DROP EXTENSION IF EXISTS pg_net CASCADE;
+-- Test 1: postgres user (non-superuser) should be blocked from specifying VERSION
+-- This should raise an error
+DO $$
+BEGIN
+  -- Try to create extension with specific version as postgres user
+  -- This should fail with our custom error message
+  BEGIN
+    EXECUTE 'CREATE EXTENSION pg_net WITH SCHEMA extensions VERSION ''0.14.0''';
+    RAISE EXCEPTION 'Test failed: postgres user was able to specify VERSION when it should have been blocked';
+  EXCEPTION
+    WHEN OTHERS THEN
+      -- Expected error message should contain our custom message
+      IF SQLERRM NOT LIKE '%Only administrators can specify VERSION when creating extensions%' THEN
+        RAISE EXCEPTION 'Test failed: Unexpected error message: %', SQLERRM;
+      END IF;
+      RAISE NOTICE 'Test 1 passed: postgres user correctly blocked from specifying VERSION';
+  END;
+END $$;
+ERROR:  Test failed: Unexpected error message: Test failed: postgres user was able to specify VERSION when it should have been blocked
+CONTEXT:  PL/pgSQL function inline_code_block line 12 at RAISE
+-- Test 2: postgres user should be able to create extension WITHOUT specifying VERSION
+CREATE EXTENSION pg_net WITH SCHEMA extensions;
+-- Verify the default version was installed (not the old version)
+DO $$
+DECLARE
+  installed_version text;
+BEGIN
+  SELECT extversion INTO installed_version 
+  FROM pg_extension 
+  WHERE extname = 'pg_net';
+  
+  IF installed_version = '0.14.0' THEN
+    RAISE EXCEPTION 'Test failed: Old version was installed when default should have been used';
+  END IF;
+  
+  RAISE NOTICE 'Test 2 passed: postgres user created extension with default version %', installed_version;
+END $$;
+NOTICE:  Test 2 passed: postgres user created extension with default version 0.19.5
+-- Clean up for next test
+DROP EXTENSION pg_net;
+-- Test 3: supabase_admin should be able to specify VERSION
+-- First, we need to switch to supabase_admin role
+SET ROLE supabase_admin;
+-- Create extension with specific old version
+CREATE EXTENSION pg_net WITH SCHEMA extensions VERSION '0.14.0';
+-- Verify the specified version was installed
+DO $$
+DECLARE
+  installed_version text;
+BEGIN
+  SELECT extversion INTO installed_version 
+  FROM pg_extension 
+  WHERE extname = 'pg_net';
+  
+  IF installed_version != '0.14.0' THEN
+    RAISE EXCEPTION 'Test failed: Version % was installed instead of requested 0.14.0', installed_version;
+  END IF;
+  
+  RAISE NOTICE 'Test 3 passed: supabase_admin successfully specified VERSION 0.14.0';
+END $$;
+NOTICE:  Test 3 passed: supabase_admin successfully specified VERSION 0.14.0
+-- Reset role back to postgres
+RESET ROLE;
+-- Clean up and reinstall with default version for the actual pg_net test
+DROP EXTENSION pg_net;
+CREATE EXTENSION pg_net WITH SCHEMA extensions;
 -- This is a very basic test because you can't get the value returned
 -- by a pg_net request in the same transaction that created it;
 select

nix/tests/sql/pg_net.sql

@@ -1,3 +1,78 @@
+-- Test VERSION restriction for non-superuser accounts
+-- First, ensure pg_net is not installed
+DROP EXTENSION IF EXISTS pg_net CASCADE;
+
+-- Test 1: postgres user (non-superuser) should be blocked from specifying VERSION
+-- This should raise an error
+DO $$
+BEGIN
+  -- Try to create extension with specific version as postgres user
+  -- This should fail with our custom error message
+  BEGIN
+    EXECUTE 'CREATE EXTENSION pg_net WITH SCHEMA extensions VERSION ''0.14.0''';
+    RAISE EXCEPTION 'Test failed: postgres user was able to specify VERSION when it should have been blocked';
+  EXCEPTION
+    WHEN OTHERS THEN
+      -- Expected error message should contain our custom message
+      IF SQLERRM NOT LIKE '%Only administrators can specify VERSION when creating extensions%' THEN
+        RAISE EXCEPTION 'Test failed: Unexpected error message: %', SQLERRM;
+      END IF;
+      RAISE NOTICE 'Test 1 passed: postgres user correctly blocked from specifying VERSION';
+  END;
+END $$;
+
+-- Test 2: postgres user should be able to create extension WITHOUT specifying VERSION
+CREATE EXTENSION pg_net WITH SCHEMA extensions;
+
+-- Verify the default version was installed (not the old version)
+DO $$
+DECLARE
+  installed_version text;
+BEGIN
+  SELECT extversion INTO installed_version 
+  FROM pg_extension 
+  WHERE extname = 'pg_net';
+  
+  IF installed_version = '0.14.0' THEN
+    RAISE EXCEPTION 'Test failed: Old version was installed when default should have been used';
+  END IF;
+  
+  RAISE NOTICE 'Test 2 passed: postgres user created extension with default version %', installed_version;
+END $$;
+
+-- Clean up for next test
+DROP EXTENSION pg_net;
+
+-- Test 3: supabase_admin should be able to specify VERSION
+-- First, we need to switch to supabase_admin role
+SET ROLE supabase_admin;
+
+-- Create extension with specific old version
+CREATE EXTENSION pg_net WITH SCHEMA extensions VERSION '0.14.0';
+
+-- Verify the specified version was installed
+DO $$
+DECLARE
+  installed_version text;
+BEGIN
+  SELECT extversion INTO installed_version 
+  FROM pg_extension 
+  WHERE extname = 'pg_net';
+  
+  IF installed_version != '0.14.0' THEN
+    RAISE EXCEPTION 'Test failed: Version % was installed instead of requested 0.14.0', installed_version;
+  END IF;
+  
+  RAISE NOTICE 'Test 3 passed: supabase_admin successfully specified VERSION 0.14.0';
+END $$;
+
+-- Reset role back to postgres
+RESET ROLE;
+
+-- Clean up and reinstall with default version for the actual pg_net test
+DROP EXTENSION pg_net;
+CREATE EXTENSION pg_net WITH SCHEMA extensions;
+
 -- This is a very basic test because you can't get the value returned
 -- by a pg_net request in the same transaction that created it;