Merge branch 'develop' into bo/chore/wrappers-0.5.1

Author: burmecia

ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh

@@ -226,9 +226,14 @@ EOF
         AND EXISTS (SELECT FROM pg_extension WHERE extname = 'supabase_vault')
       THEN
         IF (SELECT extversion FROM pg_extension WHERE extname = 'supabase_vault') != '0.2.8' THEN
-          GRANT USAGE ON SCHEMA vault TO postgres WITH GRANT OPTION;
-          GRANT SELECT, DELETE ON vault.secrets, vault.decrypted_secrets TO postgres WITH GRANT OPTION;
-          GRANT EXECUTE ON FUNCTION vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt TO postgres WITH GRANT OPTION;
+          grant usage on schema vault to postgres with grant option;
+          grant select, delete, truncate, references on vault.secrets, vault.decrypted_secrets to postgres with grant option;
+          grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to postgres with grant option;
+
+          -- service_role used to be able to manage secrets in Vault <=0.2.8 because it had privileges to pgsodium functions
+          grant usage on schema vault to service_role;
+          grant select, delete on vault.secrets, vault.decrypted_secrets to service_role;
+          grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to service_role;
         END IF;
         -- Do an explicit IF EXISTS check to avoid referencing pgsodium objects if the project already migrated away from using pgsodium.
         IF EXISTS (SELECT FROM vault.secrets WHERE key_id IS NOT NULL) THEN

ansible/files/postgresql_config/supautils.conf.j2

@@ -7,7 +7,7 @@ supautils.drop_trigger_grants = '{"postgres":["auth.audit_log_entries","auth.ide
 # omitted because doesn't require superuser: pgmq
 # omitted because protected:                 plpgsql
 supautils.privileged_extensions = 'address_standardizer, address_standardizer_data_us, autoinc, bloom, btree_gin, btree_gist, citext, cube, dblink, dict_int, dict_xsyn, earthdistance, fuzzystrmatch, hstore, http, hypopg, index_advisor, insert_username, intarray, isn, ltree, moddatetime, orioledb, pg_buffercache, pg_cron, pg_graphql, pg_hashids, pg_jsonschema, pg_net, pg_prewarm, pg_repack, pg_stat_monitor, pg_stat_statements, pg_tle, pg_trgm, pg_walinspect, pgaudit, pgcrypto, pgjwt, pgroonga, pgroonga_database, pgrouting, pgrowlocks, pgsodium, pgstattuple, pgtap, plcoffee, pljava, plls, plpgsql_check, plv8, postgis, postgis_raster, postgis_sfcgal, postgis_tiger_geocoder, postgis_topology, postgres_fdw, refint, rum, seg, sslinfo, supabase_vault, supautils, tablefunc, tcn, timescaledb, tsm_system_rows, tsm_system_time, unaccent, uuid-ossp, vector, wrappers'
-supautils.privileged_extensions_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
+supautils.extension_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
 supautils.privileged_extensions_superuser = 'supabase_admin'
 supautils.privileged_role = 'postgres'
 supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression'

ansible/vars.yml

@@ -9,9 +9,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.0.1.089-orioledb"
-  postgres17: "17.4.1.039"
-  postgres15: "15.8.1.096"
+  postgresorioledb-17: "17.0.1.091-orioledb"
+  postgres17: "17.4.1.041"
+  postgres15: "15.8.1.098"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"
@@ -53,7 +53,7 @@ postgres_exporter_release_checksum:
   amd64: sha256:cb89fc5bf4485fb554e0d640d9684fae143a4b2d5fa443009bd29c59f9129e84
 
 adminapi_release: 0.84.1
-adminmgr_release: 0.25.0
+adminmgr_release: 0.25.1
 
 vector_x86_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_amd64.deb"
 vector_arm_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_arm64.deb"

nix/cargo-pgrx/default.nix

@@ -74,7 +74,12 @@ in
   cargo-pgrx_0_12_9 = generic {
     version = "0.12.9";
     hash = "sha256-aR3DZAjeEEAjLQfZ0ZxkjLqTVMIEbU0UiZ62T4BkQq8=";
-    cargoHash = "sha256-53HKhvsKLTa2JCByLEcK3UzWXoM+LTatd98zvS1C9no=";
+    cargoHash = "sha256-KTKcol9qSNLQZGW32e6fBb6cPkUGItknyVpLdBYqrBY=";
+  };
+  cargo-pgrx_0_14_3 = generic {
+    version = "0.14.3";
+    hash = "sha256-3TsNpEqNm3Uol5XPW1i0XEbP2fF2+RKB2d7lO6BDnvQ=";
+    cargoHash = "sha256-Ny7j56pwB+2eEK62X0nWfFKQy5fBz+Q1oyvecivxLkk=";
   };
   cargo-pgrx_0_14_3 = generic {
     version = "0.14.3";

nix/ext/supautils.nix

@@ -2,21 +2,21 @@
 
 stdenv.mkDerivation rec {
   pname = "supautils";
-  version = "2.9.1";
+  version = "2.9.4";
 
   buildInputs = [ postgresql ];
 
   src = fetchFromGitHub {
     owner = "supabase";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-Rw7dmIUg9bJ7SuiHxCsZtnVhdG9hg4WlptiB/MxVmPc=";
+    hash = "sha256-qP9fOEWXw+wY49GopTizwxSBEGS0UoseJHVBtKS/BdI=";
   };
 
   installPhase = ''
     mkdir -p $out/lib
 
-    install -D build/*${postgresql.dlSuffix} -t $out/lib
+    install -D *${postgresql.dlSuffix} -t $out/lib
   '';
 
   meta = with lib; {

nix/tools/run-server.sh.in

@@ -220,7 +220,7 @@ mkdir -p "$DATDIR/extension-custom-scripts"
 cp -r "$EXTENSION_CUSTOM_SCRIPTS"/* "$DATDIR/extension-custom-scripts"
 
 # Configure supautils
-sed "s|supautils.privileged_extensions_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'|supautils.privileged_extensions_custom_scripts_path = '$DATDIR/extension-custom-scripts'|" "$SUPAUTILS_CONFIG_FILE" > "$DATDIR/supautils.conf"
+sed "s|supautils.extension_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'|supautils.extension_custom_scripts_path = '$DATDIR/extension-custom-scripts'|" "$SUPAUTILS_CONFIG_FILE" > "$DATDIR/supautils.conf"
 
 # Configure PostgreSQL
 sed -e "1i\\