fix: incorporate v3.0.0 supautils (#1844)

* fix: incorporate v3.0.0 supautils
with change that checks that an event trigger function is owned by the same superuser
negating the need for after-create for postgresql_fdw
introduces a test in pg_regress that checks the outcome of this change

* fix: add `grant usage` for postgres_fdw

* test: postgres_fdw

* fix: align expected output with test

* chore: update versions

---------

Co-authored-by: Bobbie Soedirgo <bobbie@soedirgo.dev>

Author: 2 people

ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql

@@ -1,21 +1 @@
-do $$
-declare
-  is_super boolean;
-begin
-  is_super = (
-    select usesuper
-    from pg_user
-    where usename = 'postgres'
-  );
-
-  -- Need to be superuser to own FDWs, so we temporarily make postgres superuser.
-  if not is_super then
-    alter role postgres superuser;
-  end if;
-
-  alter foreign data wrapper postgres_fdw owner to postgres;
-
-  if not is_super then
-    alter role postgres nosuperuser;
-  end if;
-end $$;
+grant usage on foreign data wrapper postgres_fdw to postgres with grant option;

ansible/vars.yml

@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.5.1.043-orioledb"
-  postgres17: "17.6.1.022"
-  postgres15: "15.14.1.022"
+  postgresorioledb-17: "17.5.1.044-orioledb"
+  postgres17: "17.6.1.023"
+  postgres15: "15.14.1.023"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.24.1

nix/ext/supautils.nix

@@ -7,15 +7,15 @@
 
 stdenv.mkDerivation rec {
   pname = "supautils";
-  version = "2.9.4";
+  version = "3.0.0";
 
   buildInputs = [ postgresql ];
 
   src = fetchFromGitHub {
     owner = "supabase";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-qP9fOEWXw+wY49GopTizwxSBEGS0UoseJHVBtKS/BdI=";
+    hash = "sha256-EKKjNZQf7HwP/MxpHoPtbEtwXk+wO241GoXVcXpDMFs=";
   };
 
   installPhase = ''

nix/tests/expected/postgres_fdw.out

@@ -0,0 +1,30 @@
+/*
+
+Test to verify supautils (v3.0.0+) allows non-superuser postgres role to use postgres_fdw.
+
+This test ensures that the supautils extension properly handles FDW usage
+for the privileged postgres role without requiring temporary superuser privileges.
+
+This verifies the fix that eliminated the need for:
+https://github.com/supabase/postgres/blob/a638c6fce0baf90b654e762eddcdac1bc8df01ee/ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql (removed)
+
+*/
+begin;
+-- Switch to the postgres role (non-superuser) to test supautils behavior
+set role postgres;
+-- postgres_fdw should be owned by the superuser
+select fdwowner::regrole from pg_foreign_data_wrapper where fdwname = 'postgres_fdw';
+    fdwowner    
+----------------
+ supabase_admin
+(1 row)
+
+-- Verify that `postgres` can use the FDW despite not owning it
+create server s
+  foreign data wrapper postgres_fdw
+  options (
+    host '127.0.0.1',
+    port '5432',
+    dbname 'postgres'
+  );
+rollback;

nix/tests/sql/postgres_fdw.sql

@@ -0,0 +1,30 @@
+/*
+
+Test to verify supautils (v3.0.0+) allows non-superuser postgres role to use postgres_fdw.
+
+This test ensures that the supautils extension properly handles FDW usage
+for the privileged postgres role without requiring temporary superuser privileges.
+
+This verifies the fix that eliminated the need for:
+https://github.com/supabase/postgres/blob/a638c6fce0baf90b654e762eddcdac1bc8df01ee/ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql (removed)
+
+*/
+
+begin;
+
+-- Switch to the postgres role (non-superuser) to test supautils behavior
+set role postgres;
+
+-- postgres_fdw should be owned by the superuser
+select fdwowner::regrole from pg_foreign_data_wrapper where fdwname = 'postgres_fdw';
+
+-- Verify that `postgres` can use the FDW despite not owning it
+create server s
+  foreign data wrapper postgres_fdw
+  options (
+    host '127.0.0.1',
+    port '5432',
+    dbname 'postgres'
+  );
+
+rollback;