fix: search path and migration grants

staaldraad · staaldraad · commit 0f2bc84cae95 · 2025-12-01T15:06:01.000+01:00
search_path not set on pgbouncer.get_auth and later migrations
don't apply permissions correctly.
diff --git a/ansible/files/pgbouncer_config/pgbouncer_auth_schema.sql b/ansible/files/pgbouncer_config/pgbouncer_auth_schema.sql
@@ -14,7 +14,9 @@ BEGIN
     SELECT usename::TEXT, passwd::TEXT FROM pg_catalog.pg_shadow
     WHERE usename = p_usename;
 END;
-$$ LANGUAGE plpgsql SECURITY DEFINER;
+$$ LANGUAGE plpgsql 
+SET search_path = ''
+SECURITY DEFINER;
 
 REVOKE ALL ON FUNCTION pgbouncer.get_auth(p_usename TEXT) FROM PUBLIC;
 GRANT EXECUTE ON FUNCTION pgbouncer.get_auth(p_usename TEXT) TO pgbouncer;
diff --git a/migrations/db/migrations/20251121132723_correct_search_path_pgbouncer.sql b/migrations/db/migrations/20251121132723_correct_search_path_pgbouncer.sql
@@ -0,0 +1,26 @@
+-- migrate:up
+
+create or replace function pgbouncer.get_auth(p_usename text) returns table (username text, password text)
+    language plpgsql 
+    set search_path = ''
+    security definer
+    as $$
+begin
+    raise debug 'PgBouncer auth request: %', p_usename;
+
+    return query
+    select 
+        rolname::text, 
+        case when rolvaliduntil < now() 
+            then null 
+            else rolpassword::text 
+        end 
+    from pg_authid 
+    where rolname=$1 and rolcanlogin;
+end;
+$$;
+
+revoke execute on function pgbouncer.get_auth(text) from public;
+grant execute on function pgbouncer.get_auth(text) to pgbouncer;
+-- migrate:down
+
diff --git a/migrations/schema-15.sql b/migrations/schema-15.sql
@@ -477,7 +477,9 @@ COMMENT ON FUNCTION extensions.set_graphql_placeholder() IS 'Reintroduces placeh
 --
 
 CREATE FUNCTION pgbouncer.get_auth(p_usename text) RETURNS TABLE(username text, password text)
-    LANGUAGE plpgsql SECURITY DEFINER
+    LANGUAGE plpgsql 
+    SET search_path = ''
+    SECURITY DEFINER
     AS $_$
 begin
     raise debug 'PgBouncer auth request: %', p_usename;
@@ -494,6 +496,8 @@ begin
 end;
 $_$;
 
+REVOKE ALL ON FUNCTION pgbouncer.get_auth(p_usename TEXT) FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION pgbouncer.get_auth(p_usename TEXT) TO pgbouncer;
 
 SET default_tablespace = '';
 
diff --git a/migrations/schema-17.sql b/migrations/schema-17.sql
@@ -478,7 +478,9 @@ COMMENT ON FUNCTION extensions.set_graphql_placeholder() IS 'Reintroduces placeh
 --
 
 CREATE FUNCTION pgbouncer.get_auth(p_usename text) RETURNS TABLE(username text, password text)
-    LANGUAGE plpgsql SECURITY DEFINER
+    LANGUAGE plpgsql 
+    SET search_path = ''
+    SECURITY DEFINER
     AS $_$
 begin
     raise debug 'PgBouncer auth request: %', p_usename;
@@ -495,6 +497,8 @@ begin
 end;
 $_$;
 
+REVOKE ALL ON FUNCTION pgbouncer.get_auth(p_usename TEXT) FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION pgbouncer.get_auth(p_usename TEXT) TO pgbouncer;
 
 SET default_tablespace = '';
 
diff --git a/migrations/schema-orioledb-17.sql b/migrations/schema-orioledb-17.sql
@@ -492,7 +492,9 @@ COMMENT ON FUNCTION extensions.set_graphql_placeholder() IS 'Reintroduces placeh
 --
 
 CREATE FUNCTION pgbouncer.get_auth(p_usename text) RETURNS TABLE(username text, password text)
-    LANGUAGE plpgsql SECURITY DEFINER
+    LANGUAGE plpgsql 
+    SET search_path = ''
+    SECURITY DEFINER
     AS $_$
 begin
     raise debug 'PgBouncer auth request: %', p_usename;
@@ -509,6 +511,8 @@ begin
 end;
 $_$;
 
+REVOKE ALL ON FUNCTION pgbouncer.get_auth(p_usename TEXT) FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION pgbouncer.get_auth(p_usename TEXT) TO pgbouncer;
 
 SET default_tablespace = '';
 
diff --git a/nix/tests/expected/pgbouncer.out b/nix/tests/expected/pgbouncer.out
@@ -83,5 +83,21 @@ select pgbouncer.get_auth('test_valid_user_password');
  (test_valid_user_password,SCRAM-SHA-256$4096:testsaltbase64$storedkeybase64$serverkeybase64)
 (1 row)
 
+
+-- Test pgbouncer.get_auth is executable by the pgbouncer user
+set role pgbouncer;
+select pgbouncer.get_auth('test_expired_user_password');
+           get_auth            
+-------------------------------
+ (test_expired_user_password,)
+(1 row)
+reset role;
+
+-- and not other non-superusers
+set role postgres;
+select pgbouncer.get_auth('test_expired_user_password');
+ERROR:  permission denied for function get_auth
+reset role;
+
 drop role test_expired_user_password;
 drop role test_valid_user_password;
diff --git a/nix/tests/sql/pgbouncer.sql b/nix/tests/sql/pgbouncer.sql
@@ -62,5 +62,15 @@ select pgbouncer.get_auth('test_expired_user_password');
 
 select pgbouncer.get_auth('test_valid_user_password');
 
+-- Test pgbouncer.get_auth is executable by the pgbouncer user
+set role pgbouncer;
+select pgbouncer.get_auth('test_expired_user_password');
+reset role;
+
+-- and not other non-superusers
+set role postgres;
+select pgbouncer.get_auth('test_expired_user_password');
+reset role;
+
 drop role test_expired_user_password;
 drop role test_valid_user_password;
