diff --git a/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql new file mode 100644 index 000000000..b5320f56d --- /dev/null +++ b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql @@ -0,0 +1,8 @@ +-- migrate:up +ALTER ROLE postgres SET local_preload_libraries = '$libdir/plugins/safeupdate'; + +ALTER ROLE postgres SET safeupdate.enabled = 0; + + +-- migrate:down + diff --git a/nix/ext/pg-safeupdate.nix b/nix/ext/pg-safeupdate.nix index 168772ce2..b74a3f0c4 100644 --- a/nix/ext/pg-safeupdate.nix +++ b/nix/ext/pg-safeupdate.nix @@ -29,9 +29,10 @@ let runHook preInstall mkdir -p $out/share/postgresql/extension - + mkdir -p $out/lib/plugins # Install versioned library - install -Dm755 ${pname}${postgresql.dlSuffix} $out/lib/${pname}-${version}${postgresql.dlSuffix} + # we use the plugins path because loading libraries with `local_preload_libraries` is restricted to this path only, see https://postgresqlco.nf/doc/en/param/local_preload_libraries/ + install -Dm755 ${pname}${postgresql.dlSuffix} $out/lib/plugins/${pname}-${version}${postgresql.dlSuffix} runHook postInstall ''; @@ -65,15 +66,16 @@ pkgs.buildEnv { paths = packages; nativeBuildInputs = [ makeWrapper ]; pathsToLink = [ - "/lib" + "/lib/plugins" "/share/postgresql/extension" ]; postBuild = '' - ln -sfn ${pname}-${latestVersion}${postgresql.dlSuffix} $out/lib/${pname}${postgresql.dlSuffix} + ln -sfn ${pname}-${latestVersion}${postgresql.dlSuffix} $out/lib/plugins/${pname}${postgresql.dlSuffix} + ln -sfn plugins/${pname}${postgresql.dlSuffix} $out/lib/${pname}${postgresql.dlSuffix} # checks (set -x - test "$(ls -A $out/lib/${pname}*${postgresql.dlSuffix} | wc -l)" = "${ + test "$(ls -A $out/lib/plugins/${pname}*${postgresql.dlSuffix} | wc -l)" = "${ toString (numberOfVersionsBuilt + 1) }" ) @@ -88,6 +90,7 @@ pkgs.buildEnv { inherit pname latestOnly; defaultSettings = { shared_preload_libraries = [ "safeupdate" ]; + local_preload_libraries = [ "safeupdate" ]; }; pgRegressTestName = "pg-safeupdate"; version = diff --git a/nix/tests/expected/pg-safeupdate.out b/nix/tests/expected/pg-safeupdate.out index f9100116a..21948552e 100644 --- a/nix/tests/expected/pg-safeupdate.out +++ b/nix/tests/expected/pg-safeupdate.out @@ -1,4 +1,4 @@ -load 'safeupdate'; +load '$libdir/plugins/safeupdate'; set safeupdate.enabled=1; create schema v; create table v.foo( diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out index a457f4029..b0b81aba9 100644 --- a/nix/tests/expected/roles.out +++ b/nix/tests/expected/roles.out @@ -60,8 +60,8 @@ select from pg_roles r where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') order by rolname; - rolname | rolconfig -----------------------------+--------------------------------------------------------------------------------- + rolname | rolconfig +----------------------------+------------------------------------------------------------------------------------------------------------------------------- anon | {statement_timeout=3s} authenticated | {statement_timeout=8s} authenticator | {session_preload_libraries=safeupdate,statement_timeout=8s,lock_timeout=8s} @@ -83,7 +83,7 @@ order by rolname; pgsodium_keyiduser | pgsodium_keymaker | pgtle_admin | - postgres | {"search_path=\"\\$user\", public, extensions"} + postgres | {"search_path=\"\\$user\", public, extensions","local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=0} service_role | supabase_admin | {"search_path=\"$user\", public, auth, extensions",log_statement=none} supabase_auth_admin | {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none} diff --git a/nix/tests/expected/z_multigres-orioledb-17_roles.out b/nix/tests/expected/z_multigres-orioledb-17_roles.out index a307b2014..61bc84f72 100644 --- a/nix/tests/expected/z_multigres-orioledb-17_roles.out +++ b/nix/tests/expected/z_multigres-orioledb-17_roles.out @@ -57,8 +57,8 @@ select from pg_roles r where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') order by rolname; - rolname | rolconfig -----------------------------+--------------------------------------------------------------------------------- + rolname | rolconfig +----------------------------+------------------------------------------------------------------------------------------------------------------------------- anon | {statement_timeout=3s} authenticated | {statement_timeout=8s} authenticator | {session_preload_libraries=safeupdate,statement_timeout=8s,lock_timeout=8s} @@ -77,7 +77,7 @@ order by rolname; pg_write_server_files | pgbouncer | pgtle_admin | - postgres | {"search_path=\"\\$user\", public, extensions"} + postgres | {"search_path=\"\\$user\", public, extensions","local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=0} service_role | supabase_admin | {"search_path=\"\\$user\", public, auth, extensions",log_statement=none} supabase_auth_admin | {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none} diff --git a/nix/tests/sql/pg-safeupdate.sql b/nix/tests/sql/pg-safeupdate.sql index 790ec79fa..fe25137a1 100644 --- a/nix/tests/sql/pg-safeupdate.sql +++ b/nix/tests/sql/pg-safeupdate.sql @@ -1,4 +1,4 @@ -load 'safeupdate'; +load '$libdir/plugins/safeupdate'; set safeupdate.enabled=1;