supabase
diff --git a/‎ansible/files/admin_api_scripts/pg_upgrade_scripts/change_bootstrap_user.sql
Lines changed: 330 additions & 0 deletions b/‎ansible/files/admin_api_scripts/pg_upgrade_scripts/change_bootstrap_user.sql
Lines changed: 330 additions & 0 deletions
@@ -0,0 +1,330 @@
+do $$
+declare
+  postgres_rolpassword text := (select rolpassword from pg_authid where rolname = 'postgres');
+  supabase_admin_rolpassword text := (select rolpassword from pg_authid where rolname = 'supabase_admin');
+  postgres_role_settings text[] := (select setconfig from pg_db_role_setting where setdatabase = 0 and setrole = 'postgres'::regrole);
+  supabase_admin_role_settings text[] := (select setconfig from pg_db_role_setting where setdatabase = 0 and setrole = 'supabase_admin'::regrole);
+  event_triggers jsonb[] := (select coalesce(array_agg(jsonb_build_object('name', evtname)), '{}') from pg_event_trigger where evtowner = 'postgres'::regrole);
+  default_acls jsonb[] := (
+    select coalesce(array_agg(jsonb_build_object('oid', d.oid, 'role', a.rolname, 'schema', n.nspname, 'objtype', d.defaclobjtype, 'acl', defaclacl::text)), '{}')
+    from pg_default_acl d
+    join pg_authid a on a.oid = d.defaclrole
+    left join pg_namespace n on n.oid = d.defaclnamespace
+  );
+  -- We only care about swapping init_privs for extensions
+  init_privs jsonb[] := (
+    select coalesce(array_agg(jsonb_build_object('objoid', objoid, 'classoid', classoid, 'initprivs', initprivs::text)), '{}')
+    from pg_init_privs
+    where privtype = 'e'
+  );
+  schemas jsonb[] := (
+    select coalesce(array_agg(jsonb_build_object('oid', n.oid, 'owner', a.rolname, 'acl', nspacl::text)), '{}')
+    from pg_namespace n
+    join pg_authid a on a.oid = n.nspowner
+    where true
+      and n.nspname != 'information_schema'
+      and not starts_with(n.nspname, 'pg_')
+  );
+  types jsonb[] := (
+    select coalesce(array_agg(jsonb_build_object('oid', t.oid, 'owner', a.rolname, 'acl', t.typacl::text)), '{}')
+    from pg_type t
+    join pg_namespace n on n.oid = t.typnamespace
+    join pg_authid a on a.oid = t.typowner
+    where true
+      and n.nspname != 'information_schema'
+      and not starts_with(n.nspname, 'pg_')
+      and (
+        t.typrelid = 0
+        or (
+          select
+            c.relkind = 'c'
+          from
+            pg_class c
+          where
+            c.oid = t.typrelid
+        )
+      )
+      and not exists (
+        select
+        from
+          pg_type el
+        where
+          el.oid = t.typelem
+          and el.typarray = t.oid
+      )
+  );
+  functions jsonb[] := (
+    select coalesce(array_agg(jsonb_build_object('oid', p.oid, 'owner', a.rolname, 'acl', p.proacl::text)), '{}')
+    from pg_proc p
+    join pg_namespace n on n.oid = p.pronamespace
+    join pg_authid a on a.oid = p.proowner
+    where true
+      and n.nspname != 'information_schema'
+      and not starts_with(n.nspname, 'pg_')
+  );
+  relations jsonb[] := (
+    select coalesce(array_agg(jsonb_build_object('oid', c.oid, 'owner', a.rolname, 'acl', c.relacl::text)), '{}')
+    from pg_class c
+    join pg_namespace n on n.oid = c.relnamespace
+    join pg_authid a on a.oid = c.relowner
+    where true
+      and n.nspname != 'information_schema'
+      and not starts_with(n.nspname, 'pg_')
+      and c.relkind not in ('c', 'i')
+  );
+  rec record;
+  obj jsonb;
+begin
+  set local search_path = '';
+
+  alter role postgres rename to supabase_admin_;
+  alter role supabase_admin rename to postgres;
+  alter role supabase_admin_ rename to supabase_admin;
+
+  -- role grants
+  for rec in
+    select * from pg_auth_members
+  loop
+    execute(format('revoke %I from %I;', rec.roleid::regrole, rec.member::regrole));
+    execute(format(
+      'grant %I to %I %s granted by %I;',
+      case
+        when rec.roleid = 'postgres'::regrole then 'supabase_admin'
+        when rec.roleid = 'supabase_admin'::regrole then 'postgres'
+        else rec.roleid::regrole
+      end,
+      case
+        when rec.member = 'postgres'::regrole then 'supabase_admin'
+        when rec.member = 'supabase_admin'::regrole then 'postgres'
+        else rec.member::regrole
+      end,
+      case
+        when rec.admin_option then 'with admin option'
+        else ''
+      end,
+      case
+        when rec.grantor = 'postgres'::regrole then 'supabase_admin'
+        when rec.grantor = 'supabase_admin'::regrole then 'postgres'
+        else rec.grantor::regrole
+      end
+    ));
+  end loop;
+
+  -- role passwords
+  execute(format('alter role postgres password %L;', postgres_rolpassword));
+  execute(format('alter role supabase_admin password %L;', supabase_admin_rolpassword));
+
+  -- role settings
+  -- TODO: don't modify system catalog directly
+  update pg_db_role_setting set setconfig = postgres_role_settings where setdatabase = 0 and setrole = 'postgres'::regrole;
+  update pg_db_role_setting set setconfig = supabase_admin_role_settings where setdatabase = 0 and setrole = 'supabase_admin'::regrole;
+
+  reassign owned by postgres to supabase_admin;
+
+  -- databases
+  for rec in
+    select * from pg_database where datname not in ('template0')
+  loop
+    execute(format('alter database %I owner to postgres;', rec.datname));
+  end loop;
+
+  -- event triggers
+  foreach obj in array event_triggers
+  loop
+    execute(format('alter event trigger %I owner to postgres;', obj->>'name'));
+  end loop;
+
+  -- publications
+  for rec in
+    select * from pg_publication
+  loop
+    execute(format('alter publication %I owner to postgres;', rec.pubname));
+  end loop;
+
+  -- FDWs
+  for rec in
+    select * from pg_foreign_data_wrapper
+  loop
+    execute(format('alter foreign data wrapper %I owner to postgres;', rec.fdwname));
+  end loop;
+
+  -- foreign servers
+  for rec in
+    select * from pg_foreign_server
+  loop
+    execute(format('alter server %I owner to postgres;', rec.srvname));
+  end loop;
+
+  -- user mappings
+  -- TODO: don't modify system catalog directly
+  update pg_user_mapping set umuser = 'postgres'::regrole where umuser = 'supabase_admin'::regrole;
+
+  -- init privs
+  foreach obj in array init_privs
+  loop
+    update pg_init_privs set initprivs = (obj->>'initprivs')::aclitem[] where objoid = (obj->>'objoid')::oid and classoid = (obj->>'classoid')::oid;
+  end loop;
+
+  -- default acls
+  foreach obj in array default_acls
+  loop
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+    loop
+      if obj->>'role' in ('postgres', 'supabase_admin') or rec.grantee::regrole in ('postgres', 'supabase_admin') then
+        execute(format('alter default privileges for role %I %s revoke %s on %s from %I'
+                     , case when obj->>'role' = 'postgres' then 'supabase_admin'
+                            when obj->>'role' = 'supabase_admin' then 'postgres'
+                            else obj->>'role'
+                       end
+                     , case when obj->>'schema' is null then ''
+                            else format('in schema %I', (obj->>'schema')::regnamespace)
+                       end
+                     , rec.privilege_type
+                     , case when obj->>'objtype' = 'r' then 'tables'
+                            when obj->>'objtype' = 'S' then 'sequences'
+                            when obj->>'objtype' = 'f' then 'functions'
+                            when obj->>'objtype' = 'T' then 'types'
+                            when obj->>'objtype' = 'n' then 'schemas'
+                       end
+                     , case when rec.grantee = 'postgres'::regrole then 'supabase_admin'
+                            when rec.grantee = 'supabase_admin'::regrole then 'postgres'
+                            else rec.grantee::regrole
+                       end
+                     ));
+      end if;
+    end loop;
+  end loop;
+
+  foreach obj in array default_acls
+  loop
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+    loop
+      if obj->>'role' in ('postgres', 'supabase_admin') or rec.grantee::regrole in ('postgres', 'supabase_admin') then
+        execute(format('alter default privileges for role %I %s grant %s on %s to %I %s'
+                     , obj->>'role'
+                     , case when obj->>'schema' is null then ''
+                            else format('in schema %I', (obj->>'schema')::regnamespace)
+                       end
+                     , rec.privilege_type
+                     , case when obj->>'objtype' = 'r' then 'tables'
+                            when obj->>'objtype' = 'S' then 'sequences'
+                            when obj->>'objtype' = 'f' then 'functions'
+                            when obj->>'objtype' = 'T' then 'types'
+                            when obj->>'objtype' = 'n' then 'schemas'
+                       end
+                     , rec.grantee::regrole
+                     , case when rec.is_grantable then 'with grant option' else '' end
+                     ));
+      end if;
+    end loop;
+  end loop;
+
+  -- schemas
+  foreach obj in array schemas
+  loop
+    if obj->>'owner' = 'postgres' then
+      execute(format('alter schema %s owner to postgres;', (obj->>'oid')::regnamespace));
+    end if;
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+      where grantee::regrole in ('postgres', 'supabase_admin')
+    loop
+      execute(format('revoke %s on schema %s from %I', rec.privilege_type, (obj->>'oid')::regnamespace, case when rec.grantee = 'postgres'::regrole then 'supabase_admin' else 'postgres' end));
+    end loop;
+  end loop;
+  foreach obj in array schemas
+  loop
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+      where grantee::regrole in ('postgres', 'supabase_admin')
+    loop
+      execute(format('grant %s on schema %s to %I %s', rec.privilege_type, (obj->>'oid')::regnamespace, rec.grantee::regrole, case when rec.is_grantable then 'with grant option' else '' end));
+    end loop;
+  end loop;
+
+  -- types
+  foreach obj in array types
+  loop
+    if obj->>'owner' = 'postgres' then
+      execute(format('alter type %s owner to postgres;', (obj->>'oid')::regtype));
+    end if;
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+      where grantee::regrole in ('postgres', 'supabase_admin')
+    loop
+      execute(format('revoke %s on type %s from %I', rec.privilege_type, (obj->>'oid')::regtype, case when rec.grantee = 'postgres'::regrole then 'supabase_admin' else 'postgres' end));
+    end loop;
+  end loop;
+  foreach obj in array types
+  loop
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+      where grantee::regrole in ('postgres', 'supabase_admin')
+    loop
+      execute(format('grant %s on type %s to %I %s', rec.privilege_type, (obj->>'oid')::regtype, rec.grantee::regrole, case when rec.is_grantable then 'with grant option' else '' end));
+    end loop;
+  end loop;
+
+  -- functions
+  foreach obj in array functions
+  loop
+    if obj->>'owner' = 'postgres' then
+      execute(format('alter routine %s(%s) owner to postgres;', (obj->>'oid')::regproc, pg_get_function_identity_arguments((obj->>'oid')::regproc)));
+    end if;
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+      where grantee::regrole in ('postgres', 'supabase_admin')
+    loop
+      execute(format('revoke %s on function %s(%s) from %I', rec.privilege_type, (obj->>'oid')::regproc, pg_get_function_identity_arguments((obj->>'oid')::regproc), case when rec.grantee = 'postgres'::regrole then 'supabase_admin' else 'postgres' end));
+    end loop;
+  end loop;
+  foreach obj in array functions
+  loop
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+      where grantee::regrole in ('postgres', 'supabase_admin')
+    loop
+      execute(format('grant %s on function %s(%s) to %I %s', rec.privilege_type, (obj->>'oid')::regproc, pg_get_function_identity_arguments((obj->>'oid')::regproc), rec.grantee::regrole, case when rec.is_grantable then 'with grant option' else '' end));
+    end loop;
+  end loop;
+
+  -- relations
+  foreach obj in array relations
+  loop
+    -- obj->>'oid' (text) needs to be casted to oid first for some reason
+
+    if obj->>'owner' = 'postgres' then
+      execute(format('alter table %s owner to postgres;', (obj->>'oid')::oid::regclass));
+    end if;
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+      where grantee::regrole in ('postgres', 'supabase_admin')
+    loop
+      execute(format('revoke %s on table %s from %I', rec.privilege_type, (obj->>'oid')::oid::regclass, case when rec.grantee = 'postgres'::regrole then 'supabase_admin' else 'postgres' end));
+    end loop;
+  end loop;
+  foreach obj in array relations
+  loop
+    -- obj->>'oid' (text) needs to be casted to oid first for some reason
+
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+      where grantee::regrole in ('postgres', 'supabase_admin')
+    loop
+      execute(format('grant %s on table %s to %I %s', rec.privilege_type, (obj->>'oid')::oid::regclass, rec.grantee::regrole, case when rec.is_grantable then 'with grant option' else '' end));
+    end loop;
+  end loop;
+end
+$$;