From 68ef5d4f90897604a9b53d067283e1b5725a87ad Mon Sep 17 00:00:00 2001
From: Michael Beaumont <mjboamail@gmail.com>
Date: Mon, 9 Mar 2020 15:37:12 +0100
Subject: [PATCH 1/2] Inspect function privileges

---
 schemainspect/pg/sql/privileges.sql | 13 ++++++++++++-
 tests/test_all.py                   | 10 ++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/schemainspect/pg/sql/privileges.sql b/schemainspect/pg/sql/privileges.sql
index f2198e0..0c09662 100644
--- a/schemainspect/pg/sql/privileges.sql
+++ b/schemainspect/pg/sql/privileges.sql
@@ -13,4 +13,15 @@ where grantee != (
 )
 -- SKIP_INTERNAL and table_schema not in ('pg_internal', 'pg_catalog', 'information_schema', 'pg_toast')
 -- SKIP_INTERNAL and table_schema not like 'pg_temp_%' and table_schema not like 'pg_toast_temp_%'
-order by schema, name, user;
+union
+select
+  routine_schema as schema,
+  routine_name as name,
+  'function' as object_type,
+  grantee as user,
+  privilege_type as privilege
+from information_schema.role_routine_grants
+where true
+-- SKIP_INTERNAL and routine_schema not in ('pg_internal', 'pg_catalog', 'information_schema', 'pg_toast')
+-- SKIP_INTERNAL and routine_schema not like 'pg_temp_%' and routine_schema not like 'pg_toast_temp_%'
+order by schema, name, "user";
diff --git a/tests/test_all.py b/tests/test_all.py
index 88b8f18..abf14e0 100644
--- a/tests/test_all.py
+++ b/tests/test_all.py
@@ -267,6 +267,7 @@ def setup_pg_schema(s):
             )
             as $$select 'a'::varchar, '2014-01-01'::date$$
             language sql;
+            grant execute on function films_f(date, text, date) to postgres;
         """
     )
     s.execute("comment on function films_f(date, text, date) is 'films_f comment'")
@@ -454,6 +455,15 @@ def asserts_pg(i, has_timescale=False):
     assert g.drop_statement == 'revoke select on table {} from "postgres";'.format(
         t_films
     )
+    f_films_f = n("films_f")
+    g = InspectedPrivilege("function", "public", "films_f", "execute", "postgres")
+    g = i.privileges[g.key]
+    assert g.create_statement == 'grant execute on function {} to "postgres";'.format(
+        f_films_f
+    )
+    assert g.drop_statement == 'revoke execute on function {} from "postgres";'.format(
+        f_films_f
+    )
 
     # composite types
     ct = i.composite_types[n("ttt")]

From 16b0d8482f9b4ca7925873c720e01feab143213d Mon Sep 17 00:00:00 2001
From: Michael Beaumont <mjboamail@gmail.com>
Date: Sat, 13 Feb 2021 22:10:30 +0100
Subject: [PATCH 2/2] Ignore function grants to db owner

---
 schemainspect/pg/sql/privileges.sql |  6 +++++-
 tests/test_all.py                   | 24 ++++++++++++------------
 2 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/schemainspect/pg/sql/privileges.sql b/schemainspect/pg/sql/privileges.sql
index 0c09662..0cd9b3b 100644
--- a/schemainspect/pg/sql/privileges.sql
+++ b/schemainspect/pg/sql/privileges.sql
@@ -21,7 +21,11 @@ select
   grantee as user,
   privilege_type as privilege
 from information_schema.role_routine_grants
-where true
+where grantee != (
+    select datdba::regrole::text
+    from pg_database
+    where datname = current_database()
+)
 -- SKIP_INTERNAL and routine_schema not in ('pg_internal', 'pg_catalog', 'information_schema', 'pg_toast')
 -- SKIP_INTERNAL and routine_schema not like 'pg_temp_%' and routine_schema not like 'pg_toast_temp_%'
 order by schema, name, "user";
diff --git a/tests/test_all.py b/tests/test_all.py
index abf14e0..fce8ebf 100644
--- a/tests/test_all.py
+++ b/tests/test_all.py
@@ -234,6 +234,14 @@ def setup_pg_schema(s):
     s.execute("comment on table emptytable is 'emptytable comment'")
     s.execute("create extension pg_trgm")
     s.execute("create schema otherschema")
+    s.execute(
+        """DO $$
+BEGIN
+CREATE ROLE testuser;
+EXCEPTION WHEN duplicate_object THEN RAISE NOTICE '%, skipping', SQLERRM USING ERRCODE = SQLSTATE;
+END
+$$;"""
+    )
     s.execute(
         """
         CREATE TABLE films (
@@ -267,7 +275,7 @@ def setup_pg_schema(s):
             )
             as $$select 'a'::varchar, '2014-01-01'::date$$
             language sql;
-            grant execute on function films_f(date, text, date) to postgres;
+            grant execute on function films_f(date, text, date) to testuser;
         """
     )
     s.execute("comment on function films_f(date, text, date) is 'films_f comment'")
@@ -447,21 +455,13 @@ def asserts_pg(i, has_timescale=False):
     assert n("films_title_idx") in t.indexes
 
     # privileges
-    g = InspectedPrivilege("table", "public", "films", "select", "postgres")
-    g = i.privileges[g.key]
-    assert g.create_statement == 'grant select on table {} to "postgres";'.format(
-        t_films
-    )
-    assert g.drop_statement == 'revoke select on table {} from "postgres";'.format(
-        t_films
-    )
     f_films_f = n("films_f")
-    g = InspectedPrivilege("function", "public", "films_f", "execute", "postgres")
+    g = InspectedPrivilege("function", "public", "films_f", "execute", "testuser")
     g = i.privileges[g.key]
-    assert g.create_statement == 'grant execute on function {} to "postgres";'.format(
+    assert g.create_statement == 'grant execute on function {} to "testuser";'.format(
         f_films_f
     )
-    assert g.drop_statement == 'revoke execute on function {} from "postgres";'.format(
+    assert g.drop_statement == 'revoke execute on function {} from "testuser";'.format(
         f_films_f
     )