mirror of
https://github.com/supabase/supabase.git
synced 2026-06-23 02:11:02 +08:00
9dc3998fa0
## Context Resolves FE-3221 Heavily inspired by what @filipecabaco has done previously here: https://github.com/supabase/supabase/pull/45360 This PR explores the use of pglite to set up a sandbox for RLS testing, which will pave the way for testing mutation based queries so to ensure no disruption to the actual database. Sandbox can be set up within the RLS tester panel as such: <img width="500" alt="image" src="https://github.com/user-attachments/assets/0cfdf8e4-dd99-4dee-ac00-39a32b375c07" /> Which the sandbox will mimic the project's database to the bare minimum required - entities from the `public` schema are copied over (types, tables, functions, policies) - `auth` schema is pseudo setup with `SANDBOX_SETUP_STATEMENTS` - Enough to support role impersonation + querying tables with references to the auth schema (e.g users table) - data is seeded up to 100 rows for each table - More info RE limitations in the last section below Once sandbox is ready, you'll see this UI where you can either leave the sandbox, or re-sync the sandbox from the actual database <img width="500" alt="image" src="https://github.com/user-attachments/assets/d07ce55f-5bc8-4722-8ce9-898b9b458f9b" /> Changes are currently feature flagged, so won't be available publicly just yet until things are ironed out and ready ## To test - [ ] Verify that setting up sandbox works - [ ] Verify that you can query your sandbox, and queries do not touch the actual database (can verify that we're not sending HTTP requests to the /query endpoint) - [ ] Verify correctness of RLS tester as well, should match correctness with testing against actual DB - [ ] Verify that re-syncing sandbox picks up changes - Can test by updating your policies that will affect the output of your select query - e.g SELECT for `authenticated`, change from just `true` to `false` - [ ] RLS tester should work as per normal (against actual DB) with the feature flag off with no additional overhead Let me know of any edge cases you might run into while testing ## Known quirks that will be addressed subsequently Leaving these for now just to not bloat this PR further - Pglite schema needs to be re-synced if updating RLS policies while testing, to ensure that pglite gets the updated policies. Will think about how to make this more seamless - Sandbox has its own limitations, will need to add a dialog to inform users how the sandbox works and what limitations to note of - e.g only the auth schema is mimicked - so policies that reference storage helpers won't work (although i think auth is probably the main use case and the rest might be niche) - We can slowly expand tho where required - Eventually we'll also move forward with figuring out testing mutation queries with this sandbox <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * RLS tester gains an isolated Postgres sandbox with schema/seed import, start/refresh/exit controls, and pre-populated auth data. * Sandbox management UI with setup, loading, active, and error states; refresh and destroy actions. * **Bug Fixes** * Role impersonation now keeps the PostgREST role set to anon while the tester sheet is open. * **Chores** * Content Security Policy updated to allow sandbox/connectivity endpoints. * **Style** * Minor sheet styling adjustment (top border). <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45839) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
211 lines
7.4 KiB
TypeScript
211 lines
7.4 KiB
TypeScript
import { ident, literal, type PGPolicy } from '@supabase/pg-meta'
|
|
|
|
import { DatabaseSchemaDDL } from '@/data/rls-tester/get-schema-ddl'
|
|
import { TableSeedData } from '@/data/rls-tester/get-seed-data'
|
|
import { getErrorMessage } from '@/lib/get-error-message'
|
|
|
|
interface Executor {
|
|
execSql(sql: string): Promise<void>
|
|
}
|
|
|
|
function buildPolicySQL(policy: PGPolicy): string {
|
|
const name = ident(policy.name)
|
|
const target = `${ident(policy.schema)}.${ident(policy.table)}`
|
|
const permissiveness = policy.action === 'RESTRICTIVE' ? 'AS RESTRICTIVE' : ''
|
|
const command = policy.command === 'ALL' ? '' : `FOR ${policy.command}`
|
|
const roles = policy.roles?.length ? `TO ${policy.roles.map(ident).join(', ')}` : ''
|
|
const using = policy.definition ? `USING (${policy.definition})` : ''
|
|
const withCheck = policy.check ? `WITH CHECK (${policy.check})` : ''
|
|
|
|
const drop = `DROP POLICY IF EXISTS ${name} ON ${target}`
|
|
const create = [
|
|
`CREATE POLICY ${name}`,
|
|
`ON ${target}`,
|
|
permissiveness,
|
|
command,
|
|
roles,
|
|
using,
|
|
withCheck,
|
|
]
|
|
.filter(Boolean)
|
|
.join(' ')
|
|
return `${drop}; ${create}`
|
|
}
|
|
|
|
async function tryExec(sandbox: Executor, sql: string, label: string): Promise<void> {
|
|
try {
|
|
await sandbox.execSql(sql)
|
|
} catch (err) {
|
|
console.warn(`[rls-sandbox] skipped ${label}:`, getErrorMessage(err) ?? err)
|
|
}
|
|
}
|
|
|
|
// Retry items until no further progress can be made — handles ordering
|
|
// dependencies (e.g. table A references type B that hasn't been created yet).
|
|
// Each pass attempts every pending item; survivors carry forward. When a full
|
|
// pass makes zero progress, surviving items are reported as unresolved.
|
|
async function runUntilFixpoint<T>(
|
|
items: T[],
|
|
attempt: (item: T) => Promise<void>,
|
|
onUnresolved: (item: T, error: unknown) => void
|
|
): Promise<void> {
|
|
let pending = items.slice()
|
|
while (pending.length > 0) {
|
|
const failed: Array<{ item: T; error: unknown }> = []
|
|
for (const item of pending) {
|
|
try {
|
|
await attempt(item)
|
|
} catch (error) {
|
|
failed.push({ item, error })
|
|
}
|
|
}
|
|
if (failed.length === pending.length) {
|
|
for (const { item, error } of failed) onUnresolved(item, error)
|
|
break
|
|
}
|
|
pending = failed.map((f) => f.item)
|
|
}
|
|
}
|
|
|
|
async function applyDDLWithRetries(sandbox: Executor, ddlStatements: string[]): Promise<void> {
|
|
await runUntilFixpoint(
|
|
ddlStatements,
|
|
(ddl) => sandbox.execSql(ddl),
|
|
(ddl, error) =>
|
|
console.warn(
|
|
`[rls-sandbox] skipped DDL: ${ddl.slice(0, 80).replace(/\s+/g, ' ')} — ${getErrorMessage(error) ?? String(error)}`
|
|
)
|
|
)
|
|
}
|
|
|
|
export async function applySchema(
|
|
sandbox: Executor,
|
|
{
|
|
schemas,
|
|
typeDefinitions,
|
|
entityDefinitions,
|
|
functionDefinitions,
|
|
policies,
|
|
rlsStatuses,
|
|
customRoles,
|
|
}: DatabaseSchemaDDL
|
|
): Promise<void> {
|
|
// Reset each user schema so re-syncs pick up renames/drops/column changes and
|
|
// CREATE statements don't collide with the previous run's objects.
|
|
for (const schema of schemas) {
|
|
const schemaId = ident(schema)
|
|
await tryExec(sandbox, `DROP SCHEMA IF EXISTS ${schemaId} CASCADE`, `drop schema ${schema}`)
|
|
await tryExec(sandbox, `CREATE SCHEMA ${schemaId}`, `create schema ${schema}`)
|
|
await tryExec(
|
|
sandbox,
|
|
`GRANT USAGE ON SCHEMA ${schemaId} TO anon, authenticated, service_role`,
|
|
`grant schema ${schema}`
|
|
)
|
|
}
|
|
|
|
if (customRoles.length > 0) {
|
|
const checks = customRoles
|
|
.map(
|
|
({ name }) =>
|
|
`IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = ${literal(name)}) THEN CREATE ROLE ${ident(name)} NOLOGIN; END IF;`
|
|
)
|
|
.join('\n')
|
|
await tryExec(sandbox, `DO $$ BEGIN\n${checks}\nEND $$`, 'custom roles')
|
|
}
|
|
|
|
await applyDDLWithRetries(sandbox, typeDefinitions)
|
|
await applyDDLWithRetries(sandbox, entityDefinitions)
|
|
|
|
for (const schema of [...new Set(rlsStatuses.map((t) => t.schema))]) {
|
|
await tryExec(
|
|
sandbox,
|
|
`GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA ${ident(schema)} TO anon, authenticated, service_role`,
|
|
`grant tables in schema ${schema}`
|
|
)
|
|
}
|
|
|
|
for (const { schema, table, rls_enabled, rls_forced } of rlsStatuses) {
|
|
const actions: string[] = []
|
|
if (rls_enabled) actions.push('ENABLE ROW LEVEL SECURITY')
|
|
if (rls_forced) actions.push('FORCE ROW LEVEL SECURITY')
|
|
if (actions.length === 0) continue
|
|
await tryExec(
|
|
sandbox,
|
|
`ALTER TABLE ${ident(schema)}.${ident(table)} ${actions.join(', ')}`,
|
|
`RLS on ${schema}.${table}`
|
|
)
|
|
}
|
|
|
|
// Disable check_function_bodies so functions referencing not-yet-created objects don't abort.
|
|
// Postgres resolves policy→function references at query time, not at CREATE POLICY time.
|
|
await tryExec(sandbox, `SET check_function_bodies = off`, 'set check_function_bodies')
|
|
for (const fn of functionDefinitions) {
|
|
await tryExec(sandbox, fn, `function ${fn.slice(0, 60).replace(/\s+/g, ' ')}`)
|
|
}
|
|
await tryExec(sandbox, `RESET check_function_bodies`, 'reset check_function_bodies')
|
|
|
|
for (const policy of policies) {
|
|
await tryExec(
|
|
sandbox,
|
|
buildPolicySQL(policy),
|
|
`policy ${policy.schema}.${policy.table} "${policy.name}"`
|
|
)
|
|
}
|
|
}
|
|
|
|
function serializeValue(val: unknown): string {
|
|
if (val === null || val === undefined) return 'NULL'
|
|
if (typeof val === 'boolean') return val ? 'TRUE' : 'FALSE'
|
|
if (typeof val === 'number') return String(val)
|
|
if (val instanceof Date) return `'${val.toISOString()}'`
|
|
if (Array.isArray(val)) return `ARRAY[${val.map(serializeValue).join(', ')}]`
|
|
if (typeof val === 'object') return `'${JSON.stringify(val).replace(/'/g, "''")}'::jsonb`
|
|
return `'${String(val).replace(/'/g, "''")}'`
|
|
}
|
|
|
|
function buildInsertSQL(schema: string, table: string, rows: Record<string, unknown>[]): string {
|
|
if (rows.length === 0) throw new Error(`buildInsertSQL requires at least one row`)
|
|
const columns = Object.keys(rows[0])
|
|
const colList = columns.map((c) => ident(c)).join(', ')
|
|
const valuesList = rows
|
|
.map((row) => `(${columns.map((c) => serializeValue(row[c])).join(', ')})`)
|
|
.join(',\n ')
|
|
return `INSERT INTO ${ident(schema)}.${ident(table)} (${colList}) VALUES\n ${valuesList};`
|
|
}
|
|
|
|
export async function applySeed(sandbox: Executor, tables: TableSeedData[]): Promise<void> {
|
|
// Disable FK triggers so we can delete and re-insert in any order.
|
|
// Requires superuser (ALTER ROLE postgres SUPERUSER in SANDBOX_SETUP_STATEMENTS).
|
|
// Falls back gracefully if the privilege is not available.
|
|
let triggersDisabled = false
|
|
try {
|
|
await sandbox.execSql(`SET session_replication_role = replica`)
|
|
triggersDisabled = true
|
|
} catch {
|
|
// postgres not yet a superuser in this PGlite build — proceed without it
|
|
}
|
|
|
|
try {
|
|
// Always clear before inserting so re-seed reflects the latest data.
|
|
for (const { schema, table } of tables) {
|
|
try {
|
|
await sandbox.execSql(`DELETE FROM ${ident(schema)}.${ident(table)}`)
|
|
} catch {
|
|
// table may not exist yet — ignore
|
|
}
|
|
}
|
|
|
|
// Retry loop handles any remaining FK ordering constraints.
|
|
await runUntilFixpoint(
|
|
tables.filter((t) => t.rows.length > 0),
|
|
(entry) => sandbox.execSql(buildInsertSQL(entry.schema, entry.table, entry.rows)),
|
|
(entry) =>
|
|
console.warn(`[rls-sandbox] seed skipped ${entry.schema}.${entry.table}: unresolved FK`)
|
|
)
|
|
} finally {
|
|
if (triggersDisabled) {
|
|
await sandbox.execSql(`SET session_replication_role = DEFAULT`)
|
|
}
|
|
}
|
|
}
|