From 2c61610ecb051e8929c60d19e4a43045efbf7315 Mon Sep 17 00:00:00 2001
From: Chris Gwilliams <517923+encima@users.noreply.github.com>
Date: Wed, 26 Nov 2025 12:12:54 +0200
Subject: [PATCH 1/4] add track_functions to supautils allowed calls

---
 ansible/files/postgresql_config/supautils.conf.j2 | 2 +-
 nix/tests/expected/enable_tracking.out            | 2 ++
 nix/tests/expected/roles.out                      | 6 +++---
 nix/tests/sql/enable_tracking.sql                 | 2 ++
 4 files changed, 8 insertions(+), 4 deletions(-)
 create mode 100644 nix/tests/expected/enable_tracking.out
 create mode 100644 nix/tests/sql/enable_tracking.sql

diff --git a/ansible/files/postgresql_config/supautils.conf.j2 b/ansible/files/postgresql_config/supautils.conf.j2
index c503b01a5..c5f908457 100644
--- a/ansible/files/postgresql_config/supautils.conf.j2
+++ b/ansible/files/postgresql_config/supautils.conf.j2
@@ -10,6 +10,6 @@ supautils.privileged_extensions = 'address_standardizer, address_standardizer_da
 supautils.extension_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
 supautils.privileged_extensions_superuser = 'supabase_admin'
 supautils.privileged_role = 'postgres'
-supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_parameter_max_length, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression'
+supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_parameter_max_length, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression, track_functions'
 supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, authenticator'
 supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'
diff --git a/nix/tests/expected/enable_tracking.out b/nix/tests/expected/enable_tracking.out
new file mode 100644
index 000000000..93d4375d3
--- /dev/null
+++ b/nix/tests/expected/enable_tracking.out
@@ -0,0 +1,2 @@
+alter role postgres set track_functions = 'pl';
+alter role postgres set track_io_timing = on;
diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out
index 9c5a47a71..d651fad3d 100644
--- a/nix/tests/expected/roles.out
+++ b/nix/tests/expected/roles.out
@@ -59,8 +59,8 @@ select
 from pg_roles r
 where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
 order by rolname;
-          rolname           |                                    rolconfig                                    
-----------------------------+---------------------------------------------------------------------------------
+          rolname           |                                       rolconfig                                       
+----------------------------+---------------------------------------------------------------------------------------
  anon                       | {statement_timeout=3s}
  authenticated              | {statement_timeout=8s}
  authenticator              | {session_preload_libraries=safeupdate,statement_timeout=8s,lock_timeout=8s}
@@ -82,7 +82,7 @@ order by rolname;
  pgsodium_keyiduser         | 
  pgsodium_keymaker          | 
  pgtle_admin                | 
- postgres                   | {"search_path=\"\\$user\", public, extensions"}
+ postgres                   | {"search_path=\"\\$user\", public, extensions",track_functions=pl,track_io_timing=on}
  service_role               | 
  supabase_admin             | {"search_path=\"$user\", public, auth, extensions",log_statement=none}
  supabase_auth_admin        | {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none}
diff --git a/nix/tests/sql/enable_tracking.sql b/nix/tests/sql/enable_tracking.sql
new file mode 100644
index 000000000..baab0e400
--- /dev/null
+++ b/nix/tests/sql/enable_tracking.sql
@@ -0,0 +1,2 @@
+alter role postgres set track_functions = 'pl';
+alter role postgres set track_io_timing = on;
\ No newline at end of file

From 86741a5948a48bda7ca849884e86de55facf0703 Mon Sep 17 00:00:00 2001
From: Chris Gwilliams <517923+encima@users.noreply.github.com>
Date: Thu, 27 Nov 2025 08:18:53 +0200
Subject: [PATCH 2/4] Update enable_tracking.sql

Co-authored-by: Bobbie Soedirgo <31685197+soedirgo@users.noreply.github.com>
---
 nix/tests/sql/enable_tracking.sql | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/nix/tests/sql/enable_tracking.sql b/nix/tests/sql/enable_tracking.sql
index baab0e400..0ef036f47 100644
--- a/nix/tests/sql/enable_tracking.sql
+++ b/nix/tests/sql/enable_tracking.sql
@@ -1,2 +1,5 @@
 alter role postgres set track_functions = 'pl';
-alter role postgres set track_io_timing = on;
\ No newline at end of file
+alter role postgres set track_io_timing = on;
+
+alter role postgres reset track_functions;
+alter role postgres reset track_io_timing;
\ No newline at end of file

From d9231f2220c7d1d54ef3f90c18a5c664c6d9cdcb Mon Sep 17 00:00:00 2001
From: Bobbie Soedirgo <bobbie@soedirgo.dev>
Date: Thu, 27 Nov 2025 17:42:16 +0800
Subject: [PATCH 3/4] chore: update snapshots

---
 ansible/files/postgresql_config/supautils.conf.j2 | 2 +-
 nix/tests/expected/enable_tracking.out            | 2 ++
 nix/tests/expected/roles.out                      | 6 +++---
 nix/tests/sql/enable_tracking.sql                 | 2 +-
 4 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/ansible/files/postgresql_config/supautils.conf.j2 b/ansible/files/postgresql_config/supautils.conf.j2
index c5f908457..00262b6ac 100644
--- a/ansible/files/postgresql_config/supautils.conf.j2
+++ b/ansible/files/postgresql_config/supautils.conf.j2
@@ -10,6 +10,6 @@ supautils.privileged_extensions = 'address_standardizer, address_standardizer_da
 supautils.extension_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
 supautils.privileged_extensions_superuser = 'supabase_admin'
 supautils.privileged_role = 'postgres'
-supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_parameter_max_length, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression, track_functions'
+supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_parameter_max_length, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_functions, track_io_timing, wal_compression'
 supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, authenticator'
 supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'
diff --git a/nix/tests/expected/enable_tracking.out b/nix/tests/expected/enable_tracking.out
index 93d4375d3..58d2b7bcf 100644
--- a/nix/tests/expected/enable_tracking.out
+++ b/nix/tests/expected/enable_tracking.out
@@ -1,2 +1,4 @@
 alter role postgres set track_functions = 'pl';
 alter role postgres set track_io_timing = on;
+alter role postgres reset track_functions;
+alter role postgres reset track_io_timing;
diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out
index d651fad3d..d35a85b10 100644
--- a/nix/tests/expected/roles.out
+++ b/nix/tests/expected/roles.out
@@ -59,8 +59,8 @@ select
 from pg_roles r
 where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
 order by rolname;
-          rolname           |                                       rolconfig                                       
-----------------------------+---------------------------------------------------------------------------------------
+          rolname           |                                    rolconfig
+----------------------------+---------------------------------------------------------------------------------
  anon                       | {statement_timeout=3s}
  authenticated              | {statement_timeout=8s}
  authenticator              | {session_preload_libraries=safeupdate,statement_timeout=8s,lock_timeout=8s}
@@ -82,7 +82,7 @@ order by rolname;
  pgsodium_keyiduser         | 
  pgsodium_keymaker          | 
  pgtle_admin                | 
- postgres                   | {"search_path=\"\\$user\", public, extensions",track_functions=pl,track_io_timing=on}
+ postgres                   | {"search_path=\"\\$user\", public, extensions"}
  service_role               | 
  supabase_admin             | {"search_path=\"$user\", public, auth, extensions",log_statement=none}
  supabase_auth_admin        | {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none}
diff --git a/nix/tests/sql/enable_tracking.sql b/nix/tests/sql/enable_tracking.sql
index 0ef036f47..58c4d2fb8 100644
--- a/nix/tests/sql/enable_tracking.sql
+++ b/nix/tests/sql/enable_tracking.sql
@@ -2,4 +2,4 @@ alter role postgres set track_functions = 'pl';
 alter role postgres set track_io_timing = on;
 
 alter role postgres reset track_functions;
-alter role postgres reset track_io_timing;
\ No newline at end of file
+alter role postgres reset track_io_timing;

From cb0def94fc09914775aa57fd48fb4e3759a92a47 Mon Sep 17 00:00:00 2001
From: Chris Gwilliams <517923+encima@users.noreply.github.com>
Date: Thu, 27 Nov 2025 20:25:37 +0200
Subject: [PATCH 4/4] fix whitespace in tests

---
 nix/tests/expected/roles.out | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out
index d35a85b10..9c5a47a71 100644
--- a/nix/tests/expected/roles.out
+++ b/nix/tests/expected/roles.out
@@ -59,7 +59,7 @@ select
 from pg_roles r
 where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
 order by rolname;
-          rolname           |                                    rolconfig
+          rolname           |                                    rolconfig                                    
 ----------------------------+---------------------------------------------------------------------------------
  anon                       | {statement_timeout=3s}
  authenticated              | {statement_timeout=8s}