Skip to content

feat: revoke supabase_{auth|storage}_admin from postgres #994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

feat: revoke supabase_{auth|storage}_admin from postgres #994

wants to merge 3 commits into from
+17 −53

Conversation

soedirgo
Copy link
Member

@soedirgo soedirgo commented Jun 6, 2024
edited
Loading

Context

Restricts privileges for postgres on auth and storage schemas to prevent unintentional breakage. realtime will be handled out of band because the privileges are set up in the supabase/realtime repo.

Tested on local infra:

pause & restore (15.8.1.079 to 15.8.1.079-roles-1):

  • create project on 15.8.1.079
  • run q1, it should succeed
  • pause & restore into 15.8.1.079-roles-1
  • run all statements in q1 one by one, each must fail
  • run q2, it must succeed
  • run all statements in q3 one by one, each must fail
queries

q1

-- create custom table in auth schema
create table auth.custom_table();

-- create custom function in auth schema
create function auth.hello_world_function()
returns trigger as 'begin return new; end' LANGUAGE plpgsql;

-- create custom table in storage schema
create table storage.custom_table();

-- create custom function in storage schema
create function storage.hello_world_function()
returns trigger as 'begin return new; end' LANGUAGE plpgsql;

q2

-- create trigger on internal auth table
create trigger hello_world_trigger
after insert on auth.users
for each row
execute function auth.hello_world_function();

-- drop trigger on internal auth table
drop trigger hello_world_trigger on auth.users;

-- create fkey referencing internal auth table
create table public.t (
  id int8 generated by default as identity primary key,
  user_id uuid references auth.users(id)
);
drop table public.t;

-- create trigger on internal storage table
create trigger hello_world_trigger
after insert on storage.objects
for each row
execute function storage.hello_world_function();

-- drop trigger on internal storage table
drop trigger hello_world_trigger on storage.objects;

-- create fkey referencing internal storage table
create table public.t (
  id int8 generated by default as identity primary key,
  object_id uuid references storage.objects(id)
);
drop table public.t;

q3

insert into auth.schema_migrations default values;
delete from auth.schema_migrations;
truncate auth.schema_migrations;
drop table auth.schema_migrations;
insert into storage.migrations default values;
delete from storage.migrations;
truncate storage.migrations;
drop table storage.migrations;

@soedirgo soedirgo force-pushed the feat/update-supautils-policy-grants branch from 0a579ea to b59533b Compare June 6, 2024 13:14
Base automatically changed from feat/update-supautils-policy-grants to develop June 6, 2024 13:15
@soedirgo soedirgo force-pushed the feat/revoke-supabase_storage_admin-from-postgres branch 7 times, most recently from 74dbed6 to b064948 Compare June 12, 2024 09:40
@soedirgo soedirgo force-pushed the feat/revoke-supabase_storage_admin-from-postgres branch 2 times, most recently from 3d1a215 to 4114665 Compare April 7, 2025 06:03
@soedirgo soedirgo force-pushed the feat/revoke-supabase_storage_admin-from-postgres branch 6 times, most recently from 701ee30 to 105e1a2 Compare April 30, 2025 12:16
@soedirgo soedirgo changed the title feat: revoke supabase_storage_admin from postgres feat: revoke supabase_{auth|storage}_admin from postgres Apr 30, 2025
@soedirgo soedirgo marked this pull request as ready for review April 30, 2025 12:36
@soedirgo soedirgo requested review from a team as code owners April 30, 2025 12:36
steve-chavez
steve-chavez reviewed Apr 30, 2025
View reviewed changes
migrations/db/migrations/20250421084701_revoke_supabase_storage_admin_from_postgres.sql Outdated
Comment on lines 2 to 8
revoke supabase_storage_admin from postgres;
revoke create on schema storage from postgres;
revoke all on storage.migrations from anon, authenticated, service_role, postgres;

revoke supabase_auth_admin from postgres;
revoke create on schema auth from postgres;
revoke all on auth.schema_migrations from dashboard_user, postgres;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The revoke all privileges on the migrations tables are not covered by tests. We should add those to ensure no regressions.

steve-chavez
steve-chavez requested changes Apr 30, 2025
View reviewed changes
Copy link
Member

@steve-chavez steve-chavez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need some covering tests as mentioned above.

@steve-chavez steve-chavez mentioned this pull request Apr 30, 2025
Merged
@steve-chavez
Copy link
Member

Merged #1577 to help with the testing. Now this PR would just need a rebase.

@soedirgo soedirgo force-pushed the feat/revoke-supabase_storage_admin-from-postgres branch from 105e1a2 to 98cc3d1 Compare May 1, 2025 08:12
@soedirgo
Copy link
Member Author

soedirgo commented May 1, 2025

Rebased the PR

@steve-chavez
Copy link
Member

Tests need to be adjusted, see logs (do ctrl+f "regression.diffs").

Looks like these lines have to be removed:

postgres/nix/tests/expected/auth.out

Lines 135 to 148 in 24f17a3

auth | schema_migrations | dashboard_user | DELETE | f
auth | schema_migrations | dashboard_user | INSERT | f
auth | schema_migrations | dashboard_user | REFERENCES | f
auth | schema_migrations | dashboard_user | SELECT | f
auth | schema_migrations | dashboard_user | TRIGGER | f
auth | schema_migrations | dashboard_user | TRUNCATE | f
auth | schema_migrations | dashboard_user | UPDATE | f
auth | schema_migrations | postgres | DELETE | f
auth | schema_migrations | postgres | INSERT | f
auth | schema_migrations | postgres | REFERENCES | f
auth | schema_migrations | postgres | SELECT | f
auth | schema_migrations | postgres | TRIGGER | f
auth | schema_migrations | postgres | TRUNCATE | f
auth | schema_migrations | postgres | UPDATE | f

@steve-chavez steve-chavez mentioned this pull request May 1, 2025
Open
soedirgo added 2 commits May 2, 2025 13:23
@soedirgo
feat: revoke supabase_*_admin from postgres
d2dcaae 
Prevents Auth and Storage schemas & migrations from being modified
@soedirgo
test: update snapshots
Loading
Loading status checks…
cd88df6
@soedirgo soedirgo force-pushed the feat/revoke-supabase_storage_admin-from-postgres branch from 34dff60 to cd88df6 Compare May 2, 2025 05:33
@soedirgo
Copy link
Member Author

soedirgo commented May 2, 2025

Thanks, all fixed now

@soedirgo
chore: bump versions
Loading
Loading status checks…
c7c4faf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@steve-chavez steve-chavez

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@soedirgo @steve-chavez