Skip to content

Commit 87cd7a6

Browse files
staaldraadstaaldraad
committed
chore: revoke from postgres role
1 parent ed261b7 commit 87cd7a6

File tree

3 files changed

+11
-15
lines changed

3 files changed

+11
-15
lines changed

migrations/db/migrations/20251121132723_correct_search_path_pgbouncer.sql

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,8 @@ begin
2020
end;
2121
$$;
2222

23-
revoke execute on function pgbouncer.get_auth(text) from public;
23+
revoke all on function pgbouncer.get_auth(text) from public;
24+
revoke execute on function pgbouncer.get_auth(text) from postgres;
2425
grant execute on function pgbouncer.get_auth(text) to pgbouncer;
2526
-- migrate:down
2627

nix/tests/expected/pgbouncer.out

Lines changed: 7 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -62,9 +62,8 @@ ORDER BY object_name, grantee, privilege_type;
6262
schema | object_name | grantee | privilege_type
6363
-----------+-------------+----------------+----------------
6464
pgbouncer | get_auth | pgbouncer | EXECUTE
65-
pgbouncer | get_auth | postgres | EXECUTE
6665
pgbouncer | get_auth | supabase_admin | EXECUTE
67-
(3 rows)
66+
(2 rows)
6867

6968
-- Ensure that pgbouncer.get_auth() function does not return an expired password
7069
create role test_expired_user_password with login password 'expired_password' valid until '2000-01-01 00:00:00+00';
@@ -85,21 +84,17 @@ select pgbouncer.get_auth('test_valid_user_password');
8584

8685
-- Test pgbouncer.get_auth is executable by the pgbouncer user
8786
set role pgbouncer;
88-
select pgbouncer.get_auth('test_expired_user_password');
89-
get_auth
90-
-------------------------------
91-
(test_expired_user_password,)
87+
select pgbouncer.get_auth('test_valid_user_password');
88+
get_auth
89+
----------------------------------------------------------------------------------------------
90+
(test_valid_user_password,SCRAM-SHA-256$4096:testsaltbase64$storedkeybase64$serverkeybase64)
9291
(1 row)
9392

9493
reset role;
9594
-- and not other non-superusers
9695
set role postgres;
97-
select pgbouncer.get_auth('test_expired_user_password');
98-
get_auth
99-
-------------------------------
100-
(test_expired_user_password,)
101-
(1 row)
102-
96+
select pgbouncer.get_auth('test_valid_user_password');
97+
ERROR: permission denied for function get_auth
10398
reset role;
10499
drop role test_expired_user_password;
105100
drop role test_valid_user_password;

nix/tests/sql/pgbouncer.sql

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -64,12 +64,12 @@ select pgbouncer.get_auth('test_valid_user_password');
6464

6565
-- Test pgbouncer.get_auth is executable by the pgbouncer user
6666
set role pgbouncer;
67-
select pgbouncer.get_auth('test_expired_user_password');
67+
select pgbouncer.get_auth('test_valid_user_password');
6868
reset role;
6969

7070
-- and not other non-superusers
7171
set role postgres;
72-
select pgbouncer.get_auth('test_expired_user_password');
72+
select pgbouncer.get_auth('test_valid_user_password');
7373
reset role;
7474

7575
drop role test_expired_user_password;

0 commit comments

Comments
 (0)