test

soedirgo · soedirgo · commit d4c12970fca2 · 2024-08-08T14:24:27.000+08:00
diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh
@@ -316,24 +316,29 @@ function initiate_upgrade {
     if [ "$OLD_BOOTSTRAP_USER" = "postgres" ]; then
         run_sql -c "create role supabase_tmp login superuser;"
         # TODO: move to its own file
-        # TODO: GRANTED BY, ADMIN OPTION
+        # TODO: GRANT TO postgres
+        # TODO: GRANTED BY postgres
         psql -h localhost -U supabase_tmp -d postgres <<'EOSQL'
 do $$
 declare
   postgres_rolpassword text := (select rolpassword from pg_authid where rolname = 'postgres');
   supabase_admin_rolpassword text := (select rolpassword from pg_authid where rolname = 'supabase_admin');
   postgres_role_settings text[] := (select setconfig from pg_db_role_setting where setdatabase = 0 and setrole = 'postgres'::regrole);
   supabase_admin_role_settings text[] := (select setconfig from pg_db_role_setting where setdatabase = 0 and setrole = 'supabase_admin'::regrole);
-  schemas jsonb[] := (select coalesce(array_agg(jsonb_build_object('oid', oid, 'owner', nspowner::regrole, 'acl', nspacl::text)), '{}') from pg_namespace);
+  schemas jsonb[] := (
+    select coalesce(array_agg(jsonb_build_object('oid', oid, 'owner', nspowner::regrole, 'acl', nspacl::text)), '{}')
+    from pg_namespace
+    where true
+      and nspname != 'information_schema'
+      and not starts_with(nspname, 'pg_')
+  );
   types jsonb[] := (
     select coalesce(array_agg(jsonb_build_object('oid', t.oid, 'acl', t.typacl::text)), '{}')
     from pg_type t
     join pg_namespace n on n.oid = t.typnamespace
-    join pg_authid a on a.oid = t.typowner
     where true
       and n.nspname != 'information_schema'
       and not starts_with(n.nspname, 'pg_')
-      and a.rolname = 'postgres'
       and (
         t.typrelid = 0
         or (
@@ -354,7 +359,7 @@ declare
           and el.typarray = t.oid
       )
   );
-  routines jsonb[] := (
+  functions jsonb[] := (
     select coalesce(array_agg(jsonb_build_object('oid', p.oid, 'acl', p.proacl::text)), '{}')
     from pg_proc p
     join pg_namespace n on n.oid = p.pronamespace
@@ -466,13 +471,12 @@ begin
   foreach obj in array schemas
   loop
     if obj->>'owner' = 'postgres' then
-      execute(format('alter schema %I owner to postgres;', (obj->>'oid')::regnamespace));
+      execute(format('alter schema %s owner to postgres;', (obj->>'oid')::regnamespace));
     end if;
-    -- TODO: don't modify system catalog directly
     for rec in
       select grantor, grantee, privilege_type, is_grantable
       from aclexplode((obj->>'acl')::aclitem[])
-      where grantee = 'supabase_admin'::regrole
+      where grantee = 'postgres'::regrole
     loop
       execute(format('grant %s on schema %s to postgres %s', rec.privilege_type, (obj->>'oid')::regnamespace, case when rec.is_grantable then 'with grant option' else '' end));
     end loop;
@@ -481,26 +485,48 @@ begin
   -- types
   foreach obj in array types
   loop
-    execute(format('alter type %s owner to postgres;', (obj->>'oid')::regtype));
-    -- TODO: don't modify system catalog directly
-    update pg_type set typacl = (obj->>'acl')::aclitem[] where oid = obj->>'oid';
+    if obj->>'owner' = 'postgres' then
+      execute(format('alter type %s owner to postgres;', (obj->>'oid')::regtype));
+    end if;
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+      where grantee = 'postgres'::regrole
+    loop
+      execute(format('grant %s on type %s to postgres %s', rec.privilege_type, (obj->>'oid')::regtype, case when rec.is_grantable then 'with grant option' else '' end));
+    end loop;
   end loop;
 
   -- functions
-  foreach obj in array routines
+  foreach obj in array functions
   loop
-    execute(format('alter routine %s(%s) owner to postgres;', (obj->>'oid')::regproc, pg_get_function_identity_arguments((obj->>'oid')::regproc)));
-    -- TODO: don't modify system catalog directly
-    update pg_proc set proacl = (obj->>'acl')::aclitem[] where oid = (obj->>'oid')::regproc;
+    if obj->>'owner' = 'postgres' then
+      execute(format('alter routine %s(%s) owner to postgres;', (obj->>'oid')::regproc, pg_get_function_identity_arguments((obj->>'oid')::regproc)));
+    end if;
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+      where grantee = 'postgres'::regrole
+    loop
+      execute(format('grant %s on function %s(%s) to postgres %s', rec.privilege_type, (obj->>'oid')::regproc, pg_get_function_identity_arguments((obj->>'oid')::regproc), case when rec.is_grantable then 'with grant option' else '' end));
+    end loop;
   end loop;
 
   -- relations
   foreach obj in array relations
   loop
     -- obj->>'oid' (text) needs to be casted to oid first for some reason
-    execute(format('alter table %s owner to postgres;', (obj->>'oid')::oid::regclass));
-    -- TODO: don't modify system catalog directly
-    update pg_class set relacl = (obj->>'acl')::aclitem[] where oid = (obj->>'oid')::oid::regclass;
+
+    if obj->>'owner' = 'postgres' then
+      execute(format('alter table %s owner to postgres;', (obj->>'oid')::oid::regclass));
+    end if;
+    for rec in
+      select grantor, grantee, privilege_type, is_grantable
+      from aclexplode((obj->>'acl')::aclitem[])
+      where grantee = 'postgres'::regrole
+    loop
+      execute(format('grant %s on table %s to postgres %s', rec.privilege_type, (obj->>'oid')::oid::regclass, case when rec.is_grantable then 'with grant option' else '' end));
+    end loop;
   end loop;
 end
 $$;
