Skip to content

Commit e564965

Browse files
kangmingtaykangmingtay
committed
chore: add pgbouncer test for role privileges
1 parent 25d23b7 commit e564965

File tree

2 files changed

+60
-0
lines changed

2 files changed

+60
-0
lines changed

nix/tests/expected/pgbouncer.out

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,3 +33,35 @@ order by
3333
pgbouncer | get_auth | supabase_admin
3434
(1 row)
3535

36+
-- Tests role privileges on the pgbouncer objects
37+
-- INSERT and UPDATE privileges should not be present on the pgbouncer tables for postgres and service_role, only SELECT and DELETE
38+
WITH schema_obj AS (
39+
SELECT oid, nspname
40+
FROM pg_namespace
41+
WHERE nspname = 'pgbouncer'
42+
)
43+
SELECT
44+
s.nspname AS schema,
45+
c.relname AS object_name,
46+
acl.grantee::regrole::text AS grantee,
47+
acl.privilege_type
48+
FROM pg_class c
49+
JOIN schema_obj s ON s.oid = c.relnamespace
50+
CROSS JOIN LATERAL aclexplode(c.relacl) AS acl
51+
WHERE c.relkind IN ('r', 'v', 'm', 'f', 'p')
52+
AND acl.privilege_type <> 'MAINTAIN'
53+
UNION ALL
54+
SELECT
55+
s.nspname AS schema,
56+
p.proname AS object_name,
57+
acl.grantee::regrole::text AS grantee,
58+
acl.privilege_type
59+
FROM pg_proc p
60+
JOIN schema_obj s ON s.oid = p.pronamespace
61+
CROSS JOIN LATERAL aclexplode(p.proacl) AS acl
62+
ORDER BY object_name, grantee, privilege_type;
63+
schema | object_name | grantee | privilege_type
64+
-----------+-------------+----------------+----------------
65+
pgbouncer | get_auth | pgbouncer | EXECUTE
66+
pgbouncer | get_auth | postgres | EXECUTE
67+
pgbouncer | get_auth | supabase_admin | EXECUTE

nix/tests/sql/pgbouncer.sql

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,3 +24,31 @@ where
2424
n.nspname = 'pgbouncer'
2525
order by
2626
p.proname;
27+
28+
-- Tests role privileges on the pgbouncer objects
29+
-- INSERT and UPDATE privileges should not be present on the pgbouncer tables for postgres and service_role, only SELECT and DELETE
30+
WITH schema_obj AS (
31+
SELECT oid, nspname
32+
FROM pg_namespace
33+
WHERE nspname = 'pgbouncer'
34+
)
35+
SELECT
36+
s.nspname AS schema,
37+
c.relname AS object_name,
38+
acl.grantee::regrole::text AS grantee,
39+
acl.privilege_type
40+
FROM pg_class c
41+
JOIN schema_obj s ON s.oid = c.relnamespace
42+
CROSS JOIN LATERAL aclexplode(c.relacl) AS acl
43+
WHERE c.relkind IN ('r', 'v', 'm', 'f', 'p')
44+
AND acl.privilege_type <> 'MAINTAIN'
45+
UNION ALL
46+
SELECT
47+
s.nspname AS schema,
48+
p.proname AS object_name,
49+
acl.grantee::regrole::text AS grantee,
50+
acl.privilege_type
51+
FROM pg_proc p
52+
JOIN schema_obj s ON s.oid = p.pronamespace
53+
CROSS JOIN LATERAL aclexplode(p.proacl) AS acl
54+
ORDER BY object_name, grantee, privilege_type;

0 commit comments

Comments
 (0)