feat: multiple versions for the pgaudit extension

jfroche · jfroche · commit c3ab4368c923 · 2025-08-13T23:24:34.000+02:00
Build multiple versions of the pgaudit extension on different PostgreSQL versions.
Add test for the extensions and their upgrade on PostgreSQL 15 and 17.
diff --git a/nix/checks.nix b/nix/checks.nix
@@ -309,6 +309,7 @@
             ;
         }
         // pkgs.lib.optionalAttrs (system == "x86_64-linux") {
+          pgaudit = import ./ext/tests/pgaudit.nix { inherit self; inherit pkgs; };
           wrappers = import ./ext/tests/wrappers.nix {
             inherit self;
             inherit pkgs;
diff --git a/nix/ext/pgaudit.nix b/nix/ext/pgaudit.nix
@@ -1,61 +1,132 @@
 {
   lib,
   stdenv,
+  buildEnv,
   fetchFromGitHub,
   libkrb5,
   openssl,
   postgresql,
 }:
 #adapted from https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/sql/postgresql/ext/pgaudit.nix
 let
-  source =
-    {
-      "17" = {
-        version = "17.0";
-        hash = "sha256-3ksq09wiudQPuBQI3dhEQi8IkXKLVIsPFgBnwLiicro=";
-      };
-      "16" = {
-        version = "16.0";
-        hash = "sha256-8+tGOl1U5y9Zgu+9O5UDDE4bec4B0JC/BQ6GLhHzQzc=";
-      };
-      "15" = {
-        version = "1.7.0";
-        hash = "sha256-8pShPr4HJaJQPjW1iPJIpj3CutTx8Tgr+rOqoXtgCcw=";
-      };
-    }
-    .${lib.versions.major postgresql.version}
-    or (throw "Source for pgaudit is not available for ${postgresql.version}");
-in
-stdenv.mkDerivation {
   pname = "pgaudit";
-  inherit (source) version;
+  # Load version configuration from external file
+  allVersions = (builtins.fromJSON (builtins.readFile ./versions.json)).${pname};
 
-  src = fetchFromGitHub {
-    owner = "pgaudit";
-    repo = "pgaudit";
-    rev = source.version;
-    hash = source.hash;
-  };
+  # Filter versions compatible with current PostgreSQL version
+  supportedVersions = lib.filterAttrs (
+    _: value: builtins.elem (lib.versions.major postgresql.version) value.postgresql
+  ) allVersions;
+
+  # Derived version information
+  versions = lib.naturalSort (lib.attrNames supportedVersions);
+  latestVersion = lib.last versions;
+  numberOfVersions = builtins.length versions;
+  packages = builtins.attrValues (
+    lib.mapAttrs (name: value: build name value.hash) supportedVersions
+  );
+
+  # Build function for individual pgaudit versions
+  build =
+    version: hash:
+    stdenv.mkDerivation {
+      inherit pname version;
+
+      src = fetchFromGitHub {
+        owner = "pgaudit";
+        repo = "pgaudit";
+        rev = version;
+        inherit hash;
+      };
+
+      buildInputs = [
+        libkrb5
+        openssl
+        postgresql
+      ];
+
+      makeFlags = [ "USE_PGXS=1" ];
 
-  buildInputs = [
-    libkrb5
-    openssl
-    postgresql
+      postBuild =
+        lib.optionalString (version == "1.7.0") ''
+          mv ${pname}--1.7.sql ${pname}--1.7.0.sql
+          cp ${pname}--1.7.0.sql ${pname}--1.6.1--1.7.0.sql
+        ''
+        + lib.optionalString (version == "1.7.1") ''
+          mv ${pname}--1.7--1.7.1.sql ${pname}--1.7.0--1.7.1.sql
+        '';
+
+      installPhase = ''
+        runHook preInstall
+
+        mkdir -p $out/{lib,share/postgresql/extension}
+
+        # Install shared library with version suffix
+        mv ${pname}${postgresql.dlSuffix} $out/lib/${pname}-${version}${postgresql.dlSuffix}
+
+        # Install SQL files
+        sed -i '1s/^/DROP EVENT TRIGGER IF EXISTS pgaudit_ddl_command_end; \n/' *.sql
+        sed -i '1s/^/DROP EVENT TRIGGER IF EXISTS pgaudit_sql_drop; \n/' *.sql
+        sed -i 's/CREATE FUNCTION/CREATE OR REPLACE FUNCTION/' *.sql
+        cp *.sql $out/share/postgresql/extension
+
+        # Create version-specific control file
+        sed -e "/^default_version =/d" \
+            -e "s|^module_pathname = .*|module_pathname = '\$libdir/${pname}'|" \
+          ${pname}.control > $out/share/postgresql/extension/${pname}--${version}.control
+
+        # For the latest version, create default control file and symlink
+        if [[ "${version}" == "${latestVersion}" ]]; then
+          {
+            echo "default_version = '${latestVersion}'"
+            cat $out/share/postgresql/extension/${pname}--${latestVersion}.control
+          } > $out/share/postgresql/extension/${pname}.control
+          ln -sfn ${pname}-${latestVersion}${postgresql.dlSuffix} $out/lib/${pname}${postgresql.dlSuffix}
+        fi
+
+        runHook postInstall
+      '';
+
+      meta = with lib; {
+        description = "Open Source PostgreSQL Audit Logging";
+        homepage = "https://github.com/pgaudit/pgaudit";
+        changelog = "https://github.com/pgaudit/pgaudit/releases/tag/${source.version}";
+        license = licenses.postgresql;
+        inherit (postgresql.meta) platforms;
+      };
+    };
+in
+buildEnv {
+  name = pname;
+  paths = packages;
+  pathsToLink = [
+    "/lib"
+    "/share/postgresql/extension"
   ];
+  postBuild = ''
+    # checks
+    (set -x
+       test "$(ls -A $out/lib/${pname}*${postgresql.dlSuffix} | wc -l)" = "${
+         toString (numberOfVersions + 1)
+       }"
+    )
 
-  makeFlags = [ "USE_PGXS=1" ];
+    # Verify all expected library files are present
+    expectedFiles=${toString (numberOfVersions + 1)}
+    actualFiles=$(ls -A $out/lib/${pname}*${postgresql.dlSuffix} | wc -l)
 
-  installPhase = ''
-    install -D -t $out/lib pgaudit${postgresql.dlSuffix}
-    install -D -t $out/share/postgresql/extension *.sql
-    install -D -t $out/share/postgresql/extension *.control
+    if [[ "$actualFiles" != "$expectedFiles" ]]; then
+      echo "Error: Expected $expectedFiles library files, found $actualFiles"
+      echo "Files found:"
+      ls -la $out/lib/${pname}*${postgresql.dlSuffix} || true
+      exit 1
+    fi
   '';
 
-  meta = with lib; {
-    description = "Open Source PostgreSQL Audit Logging";
-    homepage = "https://github.com/pgaudit/pgaudit";
-    changelog = "https://github.com/pgaudit/pgaudit/releases/tag/${source.version}";
-    platforms = postgresql.meta.platforms;
-    license = licenses.postgresql;
+  passthru = {
+    inherit versions numberOfVersions;
+    pname = "${pname}-all";
+    version =
+      "multi-" + lib.concatStringsSep "-" (map (v: lib.replaceStrings [ "." ] [ "-" ] v) versions);
   };
 }
diff --git a/nix/ext/tests/pgaudit.nix b/nix/ext/tests/pgaudit.nix
@@ -0,0 +1,163 @@
+{ self, pkgs }:
+let
+  pname = "pgaudit";
+  inherit (pkgs) lib;
+  installedExtension =
+    postgresMajorVersion: self.packages.${pkgs.system}."psql_${postgresMajorVersion}/exts/${pname}-all";
+  versions = postgresqlMajorVersion: (installedExtension postgresqlMajorVersion).versions;
+  postgresqlWithExtension =
+    postgresql:
+    let
+      majorVersion = lib.versions.major postgresql.version;
+      pkg = pkgs.buildEnv {
+        name = "postgresql-${majorVersion}-${pname}";
+        paths = [
+          postgresql
+          postgresql.lib
+          (installedExtension majorVersion)
+        ];
+        passthru = {
+          inherit (postgresql) version psqlSchema;
+          lib = pkg;
+          withPackages = _: pkg;
+        };
+        nativeBuildInputs = [ pkgs.makeWrapper ];
+        pathsToLink = [
+          "/"
+          "/bin"
+          "/lib"
+        ];
+        postBuild = ''
+          wrapProgram $out/bin/postgres --set NIX_PGLIBDIR $out/lib
+          wrapProgram $out/bin/pg_ctl --set NIX_PGLIBDIR $out/lib
+          wrapProgram $out/bin/pg_upgrade --set NIX_PGLIBDIR $out/lib
+        '';
+      };
+    in
+    pkg;
+in
+self.inputs.nixpkgs.lib.nixos.runTest {
+  name = pname;
+  hostPkgs = pkgs;
+  nodes.server =
+    { config, ... }:
+    {
+      virtualisation = {
+        forwardPorts = [
+          {
+            from = "host";
+            host.port = 13022;
+            guest.port = 22;
+          }
+        ];
+      };
+      services.openssh = {
+        enable = true;
+      };
+      users.users.root.openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIo+ulCUfJjnCVgfM4946Ih5Nm8DeZZiayYeABHGPEl7 jfroche"
+      ];
+
+      services.postgresql = {
+        enable = true;
+        package = postgresqlWithExtension self.packages.${pkgs.system}.postgresql_15;
+        settings = {
+          "shared_preload_libraries" = pname;
+        };
+      };
+
+      specialisation.postgresql17.configuration = {
+        services.postgresql = {
+          package = lib.mkForce (postgresqlWithExtension self.packages.${pkgs.system}.postgresql_17);
+        };
+
+        systemd.services.postgresql-migrate = {
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+            User = "postgres";
+            Group = "postgres";
+            StateDirectory = "postgresql";
+            WorkingDirectory = "${builtins.dirOf config.services.postgresql.dataDir}";
+          };
+          script =
+            let
+              oldPostgresql = postgresqlWithExtension self.packages.${pkgs.system}.postgresql_15;
+              newPostgresql = postgresqlWithExtension self.packages.${pkgs.system}.postgresql_17;
+              oldDataDir = "${builtins.dirOf config.services.postgresql.dataDir}/${oldPostgresql.psqlSchema}";
+              newDataDir = "${builtins.dirOf config.services.postgresql.dataDir}/${newPostgresql.psqlSchema}";
+            in
+            ''
+              if [[ ! -d ${newDataDir} ]]; then
+                install -d -m 0700 -o postgres -g postgres "${newDataDir}"
+                ${newPostgresql}/bin/initdb -D "${newDataDir}"
+                echo "shared_preload_libraries = '${pname}'" >> "${newDataDir}/postgresql.conf"
+                ${newPostgresql}/bin/pg_upgrade --old-datadir "${oldDataDir}" --new-datadir "${newDataDir}" \
+                  --old-bindir "${oldPostgresql}/bin" --new-bindir "${newPostgresql}/bin"
+              else
+                echo "${newDataDir} already exists"
+              fi
+            '';
+        };
+
+        systemd.services.postgresql = {
+          after = [ "postgresql-migrate.service" ];
+          requires = [ "postgresql-migrate.service" ];
+        };
+      };
+
+    };
+  testScript =
+    { nodes, ... }:
+    let
+      pg17-configuration = "${nodes.server.system.build.toplevel}/specialisation/postgresql17";
+    in
+    ''
+      versions = {
+        "15": [${lib.concatStringsSep ", " (map (s: ''"${s}"'') (versions "15"))}],
+        "17": [${lib.concatStringsSep ", " (map (s: ''"${s}"'') (versions "17"))}],
+      }
+
+      def run_sql(query):
+        return server.succeed(f"""sudo -u postgres psql -t -A -F\",\" -c \"{query}\" """).strip()
+
+      def check_upgrade_path(pg_version):
+        with subtest("Check ${pname} upgrade path"):
+          firstVersion = versions[pg_version][0]
+          server.succeed("sudo -u postgres psql -c 'DROP EXTENSION IF EXISTS ${pname};'")
+          run_sql(f"""CREATE EXTENSION ${pname} WITH VERSION '{firstVersion}';""")
+          installed_version = run_sql(r"""SELECT extversion FROM pg_extension WHERE extname = '${pname}';""")
+          assert installed_version == firstVersion, f"Expected ${pname} version {firstVersion}, but found {installed_version}"
+          for version in versions[pg_version][1:]:
+            run_sql(f"""ALTER EXTENSION ${pname} UPDATE TO '{version}';""")
+            installed_version = run_sql(r"""SELECT extversion FROM pg_extension WHERE extname = '${pname}';""")
+            assert installed_version == version, f"Expected ${pname} version {version}, but found {installed_version}"
+
+      start_all()
+
+      server.wait_for_unit("multi-user.target")
+      server.wait_for_unit("postgresql.service")
+
+      check_upgrade_path("15")
+
+      with subtest("Check ${pname} latest extension version"):
+        server.succeed("sudo -u postgres psql -c 'DROP EXTENSION ${pname};'")
+        server.succeed("sudo -u postgres psql -c 'CREATE EXTENSION ${pname};'")
+        installed_extensions=run_sql(r"""SELECT extname, extversion FROM pg_extension;""")
+        latestVersion = versions["15"][-1]
+        assert f"${pname},{latestVersion}" in installed_extensions
+
+      with subtest("switch to postgresql 17"):
+        server.succeed(
+          "${pg17-configuration}/bin/switch-to-configuration test >&2"
+        )
+
+      # cannot upgrade pgaudit from 15 to 17
+      # with subtest("Check ${pname} latest extension version"):
+      #   installed_extensions=run_sql(r"""SELECT extname, extversion FROM pg_extension;""")
+      #   latestVersion = versions["17"][-1]
+      #   assert f"${pname},{latestVersion}" in installed_extensions
+
+      check_upgrade_path("17")
+    '';
+}
diff --git a/nix/ext/versions.json b/nix/ext/versions.json
@@ -20,5 +20,37 @@
       ],
       "hash": "sha256-G0eQk2bY5CNPMeokN/nb05g03CuiplRf902YXFVQFbs="
     }
+  },
+  "pgaudit": {
+    "1.6.1": {
+      "postgresql": [
+        "15"
+      ],
+      "hash": "sha256-vxUDVq7nWkq7Qugy7HJLOXk4B61MSBIYQkzcbU6wSG8="
+    },
+    "1.7.0": {
+      "postgresql": [
+        "15"
+      ],
+      "hash": "sha256-8pShPr4HJaJQPjW1iPJIpj3CutTx8Tgr+rOqoXtgCcw="
+    },
+    "1.7.1": {
+      "postgresql": [
+        "15"
+      ],
+      "hash": "sha256-emwoTowT7WKFX0RQDqJXjIblrzqaUIUkzqSqBCHVKQ8="
+    },
+    "17.0": {
+      "postgresql": [
+        "17"
+      ],
+      "hash": "sha256-3ksq09wiudQPuBQI3dhEQi8IkXKLVIsPFgBnwLiicro="
+    },
+    "17.1": {
+      "postgresql": [
+        "17"
+      ],
+      "hash": "sha256-9St/ESPiFq2NiPKqbwHLwkIyATKUkOGxFcUrWgT+Iqo="
+   }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -309,6 +309,7 @@`
`309`	`309`	`;`
`310`	`310`	`}`
`311`	`311`	`// pkgs.lib.optionalAttrs (system == "x86_64-linux") {`
	`312`	`+ pgaudit = import ./ext/tests/pgaudit.nix { inherit self; inherit pkgs; };`
`312`	`313`	`wrappers = import ./ext/tests/wrappers.nix {`
`313`	`314`	`inherit self;`
`314`	`315`	`inherit pkgs;`