fix: search path and migration grants

search_path not set on pgbouncer.get_auth and later migrations
don't apply permissions correctly.

Author: staaldraad

ansible/files/pgbouncer_config/pgbouncer_auth_schema.sql

@@ -14,7 +14,9 @@ BEGIN
     SELECT usename::TEXT, passwd::TEXT FROM pg_catalog.pg_shadow
     WHERE usename = p_usename;
 END;
-$$ LANGUAGE plpgsql SECURITY DEFINER;
+$$ LANGUAGE plpgsql 
+SET search_path = ''
+SECURITY DEFINER;
 
 REVOKE ALL ON FUNCTION pgbouncer.get_auth(p_usename TEXT) FROM PUBLIC;
 GRANT EXECUTE ON FUNCTION pgbouncer.get_auth(p_usename TEXT) TO pgbouncer;

ansible/vars.yml

@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.6.0.010-orioledb"
-  postgres17: "17.6.1.053"
-  postgres15: "15.14.1.053"
+  postgresorioledb-17: "17.6.0.011-orioledb"
+  postgres17: "17.6.1.054"
+  postgres15: "15.14.1.054"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.19.0

migrations/db/migrations/20251121132723_correct_search_path_pgbouncer.sql

@@ -0,0 +1,26 @@
+-- migrate:up
+
+create or replace function pgbouncer.get_auth(p_usename text) returns table (username text, password text)
+    language plpgsql 
+    set search_path = ''
+    security definer
+    as $$
+begin
+    raise debug 'PgBouncer auth request: %', p_usename;
+
+    return query
+    select 
+        rolname::text, 
+        case when rolvaliduntil < now() 
+            then null 
+            else rolpassword::text 
+        end 
+    from pg_authid 
+    where rolname=$1 and rolcanlogin;
+end;
+$$;
+
+revoke execute on function pgbouncer.get_auth(text) from public;
+grant execute on function pgbouncer.get_auth(text) to pgbouncer;
+-- migrate:down
+

migrations/schema-15.sql

@@ -477,7 +477,9 @@ COMMENT ON FUNCTION extensions.set_graphql_placeholder() IS 'Reintroduces placeh
 --
 
 CREATE FUNCTION pgbouncer.get_auth(p_usename text) RETURNS TABLE(username text, password text)
-    LANGUAGE plpgsql SECURITY DEFINER
+    LANGUAGE plpgsql 
+    SET search_path = ''
+    SECURITY DEFINER
     AS $_$
 begin
     raise debug 'PgBouncer auth request: %', p_usename;
@@ -494,6 +496,8 @@ begin
 end;
 $_$;
 
+REVOKE ALL ON FUNCTION pgbouncer.get_auth(p_usename TEXT) FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION pgbouncer.get_auth(p_usename TEXT) TO pgbouncer;
 
 --
 -- Name: extension(text); Type: FUNCTION; Schema: storage; Owner: -

migrations/schema-17.sql

@@ -478,7 +478,9 @@ COMMENT ON FUNCTION extensions.set_graphql_placeholder() IS 'Reintroduces placeh
 --
 
 CREATE FUNCTION pgbouncer.get_auth(p_usename text) RETURNS TABLE(username text, password text)
-    LANGUAGE plpgsql SECURITY DEFINER
+    LANGUAGE plpgsql 
+    SET search_path = ''
+    SECURITY DEFINER
     AS $_$
 begin
     raise debug 'PgBouncer auth request: %', p_usename;
@@ -495,7 +497,8 @@ begin
 end;
 $_$;
 
-
+REVOKE ALL ON FUNCTION pgbouncer.get_auth(p_usename TEXT) FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION pgbouncer.get_auth(p_usename TEXT) TO pgbouncer;
 --
 -- Name: extension(text); Type: FUNCTION; Schema: storage; Owner: -
 --

migrations/schema-orioledb-17.sql

@@ -492,7 +492,9 @@ COMMENT ON FUNCTION extensions.set_graphql_placeholder() IS 'Reintroduces placeh
 --
 
 CREATE FUNCTION pgbouncer.get_auth(p_usename text) RETURNS TABLE(username text, password text)
-    LANGUAGE plpgsql SECURITY DEFINER
+    LANGUAGE plpgsql 
+    SET search_path = ''
+    SECURITY DEFINER
     AS $_$
 begin
     raise debug 'PgBouncer auth request: %', p_usename;
@@ -509,7 +511,8 @@ begin
 end;
 $_$;
 
-
+REVOKE ALL ON FUNCTION pgbouncer.get_auth(p_usename TEXT) FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION pgbouncer.get_auth(p_usename TEXT) TO pgbouncer;
 --
 -- Name: extension(text); Type: FUNCTION; Schema: storage; Owner: -
 --

migrations/schema.sql

@@ -474,7 +474,9 @@ COMMENT ON FUNCTION extensions.set_graphql_placeholder() IS 'Reintroduces placeh
 --
 
 CREATE FUNCTION pgbouncer.get_auth(p_usename text) RETURNS TABLE(username text, password text)
-    LANGUAGE plpgsql SECURITY DEFINER
+    LANGUAGE plpgsql 
+    SET search_path = ''
+    SECURITY DEFINER
     AS $$
 BEGIN
     RAISE WARNING 'PgBouncer auth request: %', p_usename;
@@ -485,7 +487,8 @@ BEGIN
 END;
 $$;
 
-
+REVOKE ALL ON FUNCTION pgbouncer.get_auth(p_usename TEXT) FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION pgbouncer.get_auth(p_usename TEXT) TO pgbouncer;
 --
 -- Name: extension(text); Type: FUNCTION; Schema: storage; Owner: -
 --

nix/tests/expected/pgbouncer.out

@@ -83,5 +83,21 @@ select pgbouncer.get_auth('test_valid_user_password');
  (test_valid_user_password,SCRAM-SHA-256$4096:testsaltbase64$storedkeybase64$serverkeybase64)
 (1 row)
 
+
+-- Test pgbouncer.get_auth is executable by the pgbouncer user
+set role pgbouncer;
+select pgbouncer.get_auth('test_expired_user_password');
+           get_auth            
+-------------------------------
+ (test_expired_user_password,)
+(1 row)
+reset role;
+
+-- and not other non-superusers
+set role postgres;
+select pgbouncer.get_auth('test_expired_user_password');
+ERROR:  permission denied for function get_auth
+reset role;
+
 drop role test_expired_user_password;
 drop role test_valid_user_password;

nix/tests/sql/pgbouncer.sql

@@ -62,5 +62,15 @@ select pgbouncer.get_auth('test_expired_user_password');
 
 select pgbouncer.get_auth('test_valid_user_password');
 
+-- Test pgbouncer.get_auth is executable by the pgbouncer user
+set role pgbouncer;
+select pgbouncer.get_auth('test_expired_user_password');
+reset role;
+
+-- and not other non-superusers
+set role postgres;
+select pgbouncer.get_auth('test_expired_user_password');
+reset role;
+
 drop role test_expired_user_password;
 drop role test_valid_user_password;