fix: update ext custom scripts to follow changes in Salt (#1870)

* fix: update ext custom scripts to follow changes in Salt

* fix: include changes to search_path manipulation

* fix: nixos test running pg_regress for pgmq

Configure default `search_path` parameter for postgresql running in the
nixos test environment.

* fix: nixos test running pg_regress for vault

Configure default `search_path` parameter for postgresql running in the nixos test environment.

---------

Co-authored-by: Jean-François Roche <[email protected]>

Author: soedirgo

ansible/files/postgresql_extension_custom_scripts/pgmq/after-create.sql

@@ -1,11 +1,12 @@
 do $$
 declare
   extoid oid := (select oid from pg_extension where extname = 'pgmq');
+  extversion text := (select extversion from pg_extension where extname = 'pgmq');
+  search_path text := (select current_setting('search_path'));
   r record;
   cls pg_class%rowtype;
 begin
-
-  set local search_path = '';
+  perform set_config('search_path', '', true);
 
 /*
     Override the pgmq.drop_queue to check if relevant tables are owned
@@ -18,8 +19,13 @@ begin
     physical backups everywhere
 */
 -- Detach and delete the official function
-alter extension pgmq drop function pgmq.drop_queue(TEXT);
-drop function pgmq.drop_queue(TEXT);
+if extversion = '1.4.4' then
+  alter extension pgmq drop function pgmq.drop_queue;
+  drop function pgmq.drop_queue;
+else -- 1.5.1+
+  alter extension pgmq drop function pgmq.drop_queue(TEXT);
+  drop function pgmq.drop_queue(TEXT);
+end if;
 
 -- Create and reattach the patched function
 CREATE FUNCTION pgmq.drop_queue(queue_name TEXT)
@@ -134,7 +140,11 @@ BEGIN
 END;
 $func$ LANGUAGE plpgsql;
 
-alter extension pgmq add function pgmq.drop_queue(TEXT);
+if extversion = '1.4.4' then
+  alter extension pgmq add function pgmq.drop_queue;
+else -- 1.5.1+
+  alter extension pgmq add function pgmq.drop_queue(TEXT);
+end if;
 
 
   update pg_extension set extowner = 'postgres'::regrole where extname = 'pgmq';
@@ -170,4 +180,7 @@ alter extension pgmq add function pgmq.drop_queue(TEXT);
 
     end if;
   end loop;
+
+  -- restore configs
+  perform set_config('search_path', search_path, true);
 end $$;

ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql

@@ -1,8 +1,21 @@
-grant usage on schema vault to postgres with grant option;
-grant select, delete, truncate, references on vault.secrets, vault.decrypted_secrets to postgres with grant option;
-grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to postgres with grant option;
+do $$
+declare
+  extversion text := (select extversion from pg_extension where extname = 'supabase_vault');
+  search_path text := (select current_setting('search_path'));
+begin
+  perform set_config('search_path', '', true);
 
--- service_role used to be able to manage secrets in Vault <=0.2.8 because it had privileges to pgsodium functions
-grant usage on schema vault to service_role;
-grant select, delete on vault.secrets, vault.decrypted_secrets to service_role;
-grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to service_role;
+  if extversion != '0.2.8' then
+    grant usage on schema vault to postgres with grant option;
+    grant select, delete, truncate, references on vault.secrets, vault.decrypted_secrets to postgres with grant option;
+    grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to postgres with grant option;
+
+    -- service_role used to be able to manage secrets in Vault <=0.2.8 because it had privileges to pgsodium functions
+    grant usage on schema vault to service_role;
+    grant select, delete on vault.secrets, vault.decrypted_secrets to service_role;
+    grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to service_role;
+  end if;
+
+  -- restore configs
+  perform set_config('search_path', search_path, true);
+end $$;

nix/ext/pgmq/default.nix

@@ -100,6 +100,9 @@ buildEnv {
 
   passthru = {
     inherit versions numberOfVersions;
+    defaultSettings = {
+      search_path = "\"$user\", public, auth, extensions";
+    };
     pname = "${pname}-all";
     version =
       "multi-" + lib.concatStringsSep "-" (map (v: lib.replaceStrings [ "." ] [ "-" ] v) versions);

nix/ext/tests/vault.nix

@@ -84,6 +84,7 @@ self.inputs.nixpkgs.lib.nixos.runTest {
         settings = {
           "shared_preload_libraries" = "${pname},pgsodium";
           "pgsodium.getkey_script" = vaultGetKey;
+          "search_path" = "\"$user\", public, auth, extensions";
           "vault.getkey_script" = vaultGetKey;
         };
       };

nix/tests/expected/pgmq.out

@@ -200,3 +200,10 @@ order by
  pgmq        | validate_queue_name           | postgres
 (40 rows)
 
+-- assert search_path is preserved after after-create script is run
+show search_path;
+            search_path            
+-----------------------------------
+ "$user", public, auth, extensions
+(1 row)
+

nix/tests/expected/vault.out

@@ -97,3 +97,10 @@ ORDER BY
  vault  | secrets | secrets_pkey     | supabase_admin | Unique
 (2 rows)
 
+-- assert search_path is preserved after after-create script is run
+show search_path;
+            search_path            
+-----------------------------------
+ "$user", public, auth, extensions
+(1 row)
+

nix/tests/sql/pgmq.sql

@@ -101,3 +101,6 @@ where
   n.nspname = 'pgmq'
 order by
   p.proname;
+
+-- assert search_path is preserved after after-create script is run
+show search_path;

nix/tests/sql/vault.sql

@@ -51,3 +51,6 @@ WHERE
 ORDER BY
     t.relname,
     i.relname;
+
+-- assert search_path is preserved after after-create script is run
+show search_path;