Merge branch 'develop' into sam/oriole17-flake-check

samrose · web-flow · commit 97330e8447d6 · 2025-01-14T13:57:27.000-05:00
diff --git a/.github/workflows/dockerhub-release-matrix.yml b/.github/workflows/dockerhub-release-matrix.yml
@@ -7,6 +7,7 @@ on:
       - release/*
     paths:
       - ".github/workflows/dockerhub-release-matrix.yml"
+      - "ansible/vars.yml"
   workflow_dispatch:
  
 jobs:
diff --git a/ansible/files/envoy_config/lds.supabase.yaml b/ansible/files/envoy_config/lds.supabase.yaml
@@ -82,6 +82,25 @@ resources:
                                         name: ':path'
                                         string_match:
                                           contains: apikey=supabase_admin_key
+                        origin_protection_key_missing:
+                          permissions:
+                            - any: true
+                          principals:
+                            - not_id:
+                                header:
+                                  name: sb-opk
+                                  present_match: true
+                        origin_protection_key_not_valid:
+                          permissions:
+                            - any: true
+                          principals:
+                            - not_id:
+                                or_ids:
+                                  ids:
+                                    - header:
+                                        name: sb-opk
+                                        string_match:
+                                          exact: supabase_origin_protection_key
                 - name: envoy.filters.http.lua
                   typed_config:
                     '@type': >-
diff --git a/ansible/files/postgresql_config/supautils.conf.j2 b/ansible/files/postgresql_config/supautils.conf.j2
@@ -8,6 +8,6 @@ supautils.privileged_extensions = 'address_standardizer, address_standardizer_da
 supautils.privileged_extensions_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
 supautils.privileged_extensions_superuser = 'supabase_admin'
 supautils.privileged_role = 'postgres'
-supautils.privileged_role_allowed_configs = 'auto_explain.log_min_duration, auto_explain.log_nested_statements, log_lock_waits, log_min_messages, log_temp_files, pg_net.batch_size, pg_net.ttl, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing'
+supautils.privileged_role_allowed_configs = 'auto_explain.log_min_duration, auto_explain.log_nested_statements, log_lock_waits, log_min_duration_statement, log_min_messages, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, pg_stat_statements.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression'
 supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, dashboard_user, pgbouncer, authenticator'
 supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'
diff --git a/ansible/files/postgresql_extension_custom_scripts/pgmq/after-create.sql b/ansible/files/postgresql_extension_custom_scripts/pgmq/after-create.sql
@@ -6,6 +6,137 @@ declare
 begin
 
   set local search_path = '';
+
+/*
+    Override the pgmq.drop_queue to check if relevant tables are owned
+    by the pgmq extension before attempting to run
+    `alter extension pgmq drop table ...`
+    this is necessary becasue, to enable nightly logical backups to include user queues
+    we automatically detach them from pgmq.
+
+    this update is backwards compatible with version 1.4.4 but should be removed once we're on
+    physical backups everywhere
+*/
+-- Detach and delete the official function
+alter extension pgmq drop function pgmq.drop_queue;
+drop function pgmq.drop_queue;
+
+-- Create and reattach the patched function
+CREATE FUNCTION pgmq.drop_queue(queue_name TEXT)
+RETURNS BOOLEAN AS $func$
+DECLARE
+    qtable TEXT := pgmq.format_table_name(queue_name, 'q');
+    qtable_seq TEXT := qtable || '_msg_id_seq';
+    fq_qtable TEXT := 'pgmq.' || qtable;
+    atable TEXT := pgmq.format_table_name(queue_name, 'a');
+    fq_atable TEXT := 'pgmq.' || atable;
+    partitioned BOOLEAN;
+BEGIN
+    EXECUTE FORMAT(
+        $QUERY$
+        SELECT is_partitioned FROM pgmq.meta WHERE queue_name = %L
+        $QUERY$,
+        queue_name
+    ) INTO partitioned;
+
+    -- NEW CONDITIONAL CHECK
+    if exists (
+        select 1
+        from pg_class c
+        join pg_depend d on c.oid = d.objid
+        join pg_extension e on d.refobjid = e.oid
+        where c.relname = qtable and e.extname = 'pgmq'
+    ) then
+
+        EXECUTE FORMAT(
+            $QUERY$
+            ALTER EXTENSION pgmq DROP TABLE pgmq.%I
+            $QUERY$,
+            qtable
+        );
+
+    end if;
+
+    -- NEW CONDITIONAL CHECK
+    if exists (
+        select 1
+        from pg_class c
+        join pg_depend d on c.oid = d.objid
+        join pg_extension e on d.refobjid = e.oid
+        where c.relname = qtable_seq and e.extname = 'pgmq'
+    ) then    
+        EXECUTE FORMAT(
+            $QUERY$
+            ALTER EXTENSION pgmq DROP SEQUENCE pgmq.%I
+            $QUERY$,
+            qtable_seq
+        );
+
+    end if;
+
+    -- NEW CONDITIONAL CHECK
+    if exists (
+        select 1
+        from pg_class c
+        join pg_depend d on c.oid = d.objid
+        join pg_extension e on d.refobjid = e.oid
+        where c.relname = atable and e.extname = 'pgmq'
+    ) then
+
+    EXECUTE FORMAT(
+        $QUERY$
+        ALTER EXTENSION pgmq DROP TABLE pgmq.%I
+        $QUERY$,
+        atable
+    );
+
+    end if;
+
+    -- NO CHANGES PAST THIS POINT
+
+    EXECUTE FORMAT(
+        $QUERY$
+        DROP TABLE IF EXISTS pgmq.%I
+        $QUERY$,
+        qtable
+    );
+
+    EXECUTE FORMAT(
+        $QUERY$
+        DROP TABLE IF EXISTS pgmq.%I
+        $QUERY$,
+        atable
+    );
+
+     IF EXISTS (
+          SELECT 1
+          FROM information_schema.tables
+          WHERE table_name = 'meta' and table_schema = 'pgmq'
+     ) THEN
+        EXECUTE FORMAT(
+            $QUERY$
+            DELETE FROM pgmq.meta WHERE queue_name = %L
+            $QUERY$,
+            queue_name
+        );
+     END IF;
+
+     IF partitioned THEN
+        EXECUTE FORMAT(
+          $QUERY$
+          DELETE FROM %I.part_config where parent_table in (%L, %L)
+          $QUERY$,
+          pgmq._get_pg_partman_schema(), fq_qtable, fq_atable
+        );
+     END IF;
+
+    RETURN TRUE;
+END;
+$func$ LANGUAGE plpgsql;
+
+alter extension pgmq add function pgmq.drop_queue;
+
+
   update pg_extension set extowner = 'postgres'::regrole where extname = 'pgmq';
 
   for r in (select * from pg_depend where refobjid = extoid) loop
diff --git a/ansible/vars.yml b/ansible/vars.yml
@@ -22,8 +22,8 @@ postgrest_release: "12.2.3"
 postgrest_arm_release_checksum: sha1:fbfd6613d711ce1afa25c42d5df8f1b017f396f9
 postgrest_x86_release_checksum: sha1:61c513f91a8931be4062587b9d4a18b42acf5c05
 
-gotrue_release: 2.167.0
-gotrue_release_checksum: sha1:087553ffd442a050e716f3aae5f12ae716f44ae5
+gotrue_release: 2.168.0
+gotrue_release_checksum: sha1:c303e004f59a58f7cbefda6fa669fc77deabe8e6
 
 aws_cli_release: "2.2.7"
 
@@ -137,7 +137,7 @@ groonga_release_checksum: sha256:1c2d1a6981c1ad3f02a11aff202b15ba30cb1c6147f1fa9
 pgroonga_release: "3.0.7"
 pgroonga_release_checksum: sha256:885ff3878cc30e9030e5fc56d561bc8b66df3ede1562c9d802bc0ea04fe5c203
 
-wrappers_release: "0.4.3"
+wrappers_release: "0.4.4"
 
 hypopg_release: "1.4.1"
 hypopg_release_checksum: sha256:9afe6357fd389d8d33fad81703038ce520b09275ec00153c6c89282bcdedd6bc
diff --git a/nix/ext/pg_repack.nix b/nix/ext/pg_repack.nix
@@ -18,8 +18,8 @@ stdenv.mkDerivation (finalAttrs: {
   src = fetchFromGitHub {
     owner = "reorg";
     repo = "pg_repack";
-    rev = "85b64c6d4f599b2988343c4e7121acab505c9006";
-    hash = "sha256-lAuLI+vupusvn3uTzQ9OaLqkEfUVMCAwU9R70tTbb8Y=";
+    rev = "ver_${finalAttrs.version}";
+    hash = "sha256-wfjiLkx+S3zVrAynisX1GdazueVJ3EOwQEPcgUQt7eA=";
   };
 
   installPhase = ''
diff --git a/nix/ext/wrappers/default.nix b/nix/ext/wrappers/default.nix
@@ -17,16 +17,16 @@ let
 in
 buildPgrxExtension_0_12_6 rec {
   pname = "supabase-wrappers";
-  version = "0.4.3";
+  version = "0.4.4";
   # update the following array when the wrappers version is updated
   # required to ensure that extensions update scripts from previous versions are generated
-  previousVersions = ["0.4.2" "0.4.1" "0.4.0" "0.3.1" "0.3.0" "0.2.0" "0.1.19" "0.1.18" "0.1.17" "0.1.16" "0.1.15" "0.1.14" "0.1.12" "0.1.11" "0.1.10" "0.1.9" "0.1.8" "0.1.7" "0.1.6" "0.1.5" "0.1.4" "0.1.1" "0.1.0"];
+  previousVersions = ["0.4.3" "0.4.2" "0.4.1" "0.4.0" "0.3.1" "0.3.0" "0.2.0" "0.1.19" "0.1.18" "0.1.17" "0.1.16" "0.1.15" "0.1.14" "0.1.12" "0.1.11" "0.1.10" "0.1.9" "0.1.8" "0.1.7" "0.1.6" "0.1.5" "0.1.4" "0.1.1" "0.1.0"];
   inherit postgresql;
   src = fetchFromGitHub {
     owner = "supabase";
     repo = "wrappers";
     rev = "v${version}";
-    hash = "sha256-CkoNMoh40zbQL4V49ZNYgv3JjoNWjODtTpHn+L8DdZA=";
+    hash = "sha256-QoGFJpq8PuvMM8SS+VZd7MlNl56uFivRjs1tCtwX+oE=";
   };
  
   nativeBuildInputs = [ pkg-config cargo git ];
