wip: add network_restrictions to db config

avallete · avallete · commit ac372a6a236f · 2025-06-24T17:55:25.000+02:00
diff --git a/internal/link/link.go b/internal/link/link.go
@@ -83,6 +83,12 @@ func LinkServices(ctx context.Context, projectRef, anonKey string, fsys afero.Fs
 			fmt.Fprintln(os.Stderr, err)
 		}
 	}()
+	go func() {
+		defer wg.Done()
+		if err := linkNetworkRestrictions(ctx, projectRef); err != nil && viper.GetBool("DEBUG") {
+			fmt.Fprintln(os.Stderr, err)
+		}
+	}()
 	go func() {
 		defer wg.Done()
 		if err := linkPostgrest(ctx, projectRef); err != nil && viper.GetBool("DEBUG") {
@@ -193,6 +199,17 @@ func linkDatabaseSettings(ctx context.Context, projectRef string) error {
 	return nil
 }
 
+func linkNetworkRestrictions(ctx context.Context, projectRef string) error {
+	resp, err := utils.GetSupabase().V1GetNetworkRestrictionsWithResponse(ctx, projectRef)
+	if err != nil {
+		return errors.Errorf("failed to read network restrictions config: %w", err)
+	} else if resp.JSON200 == nil {
+		return errors.Errorf("unexpected network restrictions config status %d: %s", resp.StatusCode(), string(resp.Body))
+	}
+	utils.Config.Db.NetworkRestrictions.FromRemoteNetworkRestrictions(*resp.JSON200)
+	return nil
+}
+
 func linkDatabase(ctx context.Context, config pgconn.Config, fsys afero.Fs, options ...func(*pgx.ConnConfig)) error {
 	conn, err := utils.ConnectByConfig(ctx, config, options...)
 	if err != nil {
diff --git a/pkg/config/db.go b/pkg/config/db.go
@@ -67,18 +67,24 @@ type (
 		WorkMem                       *string                 `toml:"work_mem"`
 	}
 
+	networkRestrictions struct {
+		DbAllowedCidrs   []string `toml:"db_allowed_cidrs"`
+		DbAllowedCidrsV6 []string `toml:"db_allowed_cidrs_v6"`
+	}
+
 	db struct {
-		Image        string            `toml:"-"`
-		Port         uint16            `toml:"port"`
-		ShadowPort   uint16            `toml:"shadow_port"`
-		MajorVersion uint              `toml:"major_version"`
-		Password     string            `toml:"-"`
-		RootKey      Secret            `toml:"root_key"`
-		Pooler       pooler            `toml:"pooler"`
-		Migrations   migrations        `toml:"migrations"`
-		Seed         seed              `toml:"seed"`
-		Settings     settings          `toml:"settings"`
-		Vault        map[string]Secret `toml:"vault"`
+		Image               string              `toml:"-"`
+		Port                uint16              `toml:"port"`
+		ShadowPort          uint16              `toml:"shadow_port"`
+		MajorVersion        uint                `toml:"major_version"`
+		Password            string              `toml:"-"`
+		RootKey             Secret              `toml:"root_key"`
+		Pooler              pooler              `toml:"pooler"`
+		Migrations          migrations          `toml:"migrations"`
+		Seed                seed                `toml:"seed"`
+		Settings            settings            `toml:"settings"`
+		NetworkRestrictions networkRestrictions `toml:"network_restrictions"`
+		Vault               map[string]Secret   `toml:"vault"`
 	}
 
 	migrations struct {
@@ -188,3 +194,40 @@ func (a *settings) DiffWithRemote(remoteConfig v1API.PostgresConfigResponse) ([]
 	}
 	return diff.Diff("remote[db.settings]", remoteCompare, "local[db.settings]", currentValue), nil
 }
+
+func (n *networkRestrictions) ToUpdateNetworkRestrictionsBody() v1API.V1UpdateNetworkRestrictionsJSONRequestBody {
+	body := v1API.V1UpdateNetworkRestrictionsJSONRequestBody{}
+	if len(n.DbAllowedCidrs) > 0 {
+		body.DbAllowedCidrs = &n.DbAllowedCidrs
+	}
+	if len(n.DbAllowedCidrsV6) > 0 {
+		body.DbAllowedCidrsV6 = &n.DbAllowedCidrsV6
+	}
+	return body
+}
+
+func (n *networkRestrictions) FromRemoteNetworkRestrictions(remoteConfig v1API.NetworkRestrictionsResponse) {
+	n.DbAllowedCidrs = nil
+	n.DbAllowedCidrsV6 = nil
+	if remoteConfig.Config.DbAllowedCidrs != nil {
+		n.DbAllowedCidrs = *remoteConfig.Config.DbAllowedCidrs
+	}
+	if remoteConfig.Config.DbAllowedCidrsV6 != nil {
+		n.DbAllowedCidrsV6 = *remoteConfig.Config.DbAllowedCidrsV6
+	}
+}
+
+func (n *networkRestrictions) DiffWithRemote(remoteConfig v1API.NetworkRestrictionsResponse) ([]byte, error) {
+	copy := *n
+	// Convert the config values into easily comparable remoteConfig values
+	currentValue, err := ToTomlBytes(copy)
+	if err != nil {
+		return nil, err
+	}
+	copy.FromRemoteNetworkRestrictions(remoteConfig)
+	remoteCompare, err := ToTomlBytes(copy)
+	if err != nil {
+		return nil, err
+	}
+	return diff.Diff("remote[db.network_restrictions]", remoteCompare, "local[db.network_restrictions]", currentValue), nil
+}
diff --git a/pkg/config/db_test.go b/pkg/config/db_test.go
@@ -182,3 +182,106 @@ func TestSettingsToPostgresConfig(t *testing.T) {
 		assert.NotContains(t, got, "=")
 	})
 }
+
+func TestNetworkRestrictionsToUpdateBody(t *testing.T) {
+	t.Run("converts empty restrictions", func(t *testing.T) {
+		nr := networkRestrictions{
+			DbAllowedCidrs:   []string{},
+			DbAllowedCidrsV6: []string{},
+		}
+		body := nr.ToUpdateNetworkRestrictionsBody()
+		assert.Nil(t, body.DbAllowedCidrs)
+		assert.Nil(t, body.DbAllowedCidrsV6)
+	})
+
+	t.Run("converts populated restrictions", func(t *testing.T) {
+		nr := networkRestrictions{
+			DbAllowedCidrs:   []string{"192.168.1.0/24", "10.0.0.0/8"},
+			DbAllowedCidrsV6: []string{"2001:db8::/32"},
+		}
+		body := nr.ToUpdateNetworkRestrictionsBody()
+		assert.Equal(t, []string{"192.168.1.0/24", "10.0.0.0/8"}, *body.DbAllowedCidrs)
+		assert.Equal(t, []string{"2001:db8::/32"}, *body.DbAllowedCidrsV6)
+	})
+}
+
+func TestNetworkRestrictionsFromRemote(t *testing.T) {
+	t.Run("converts from remote config", func(t *testing.T) {
+		ipv4Cidrs := []string{"192.168.1.0/24"}
+		ipv6Cidrs := []string{"2001:db8::/32"}
+		remoteConfig := v1API.NetworkRestrictionsResponse{
+			Config: struct {
+				DbAllowedCidrs   *[]string `json:"dbAllowedCidrs,omitempty"`
+				DbAllowedCidrsV6 *[]string `json:"dbAllowedCidrsV6,omitempty"`
+			}{
+				DbAllowedCidrs:   &ipv4Cidrs,
+				DbAllowedCidrsV6: &ipv6Cidrs,
+			},
+		}
+		nr := networkRestrictions{}
+		nr.FromRemoteNetworkRestrictions(remoteConfig)
+		assert.Equal(t, []string{"192.168.1.0/24"}, nr.DbAllowedCidrs)
+		assert.Equal(t, []string{"2001:db8::/32"}, nr.DbAllowedCidrsV6)
+	})
+
+	t.Run("handles nil remote config", func(t *testing.T) {
+		remoteConfig := v1API.NetworkRestrictionsResponse{
+			Config: struct {
+				DbAllowedCidrs   *[]string `json:"dbAllowedCidrs,omitempty"`
+				DbAllowedCidrsV6 *[]string `json:"dbAllowedCidrsV6,omitempty"`
+			}{},
+		}
+		nr := networkRestrictions{
+			DbAllowedCidrs:   []string{"existing"},
+			DbAllowedCidrsV6: []string{"existing"},
+		}
+		nr.FromRemoteNetworkRestrictions(remoteConfig)
+		assert.Empty(t, nr.DbAllowedCidrs)
+		assert.Empty(t, nr.DbAllowedCidrsV6)
+	})
+}
+
+func TestNetworkRestrictionsDiff(t *testing.T) {
+	t.Run("detects differences", func(t *testing.T) {
+		local := networkRestrictions{
+			DbAllowedCidrs:   []string{"192.168.1.0/24"},
+			DbAllowedCidrsV6: []string{"2001:db8::/32"},
+		}
+		ipv4Cidrs := []string{"10.0.0.0/8"}
+		ipv6Cidrs := []string{"2001:db8::/32"}
+		remoteConfig := v1API.NetworkRestrictionsResponse{
+			Config: struct {
+				DbAllowedCidrs   *[]string `json:"dbAllowedCidrs,omitempty"`
+				DbAllowedCidrsV6 *[]string `json:"dbAllowedCidrsV6,omitempty"`
+			}{
+				DbAllowedCidrs:   &ipv4Cidrs,
+				DbAllowedCidrsV6: &ipv6Cidrs,
+			},
+		}
+		diff, err := local.DiffWithRemote(remoteConfig)
+		assert.NoError(t, err)
+		assert.Contains(t, string(diff), "192.168.1.0/24")
+		assert.Contains(t, string(diff), "10.0.0.0/8")
+	})
+
+	t.Run("no differences", func(t *testing.T) {
+		local := networkRestrictions{
+			DbAllowedCidrs:   []string{"192.168.1.0/24"},
+			DbAllowedCidrsV6: []string{"2001:db8::/32"},
+		}
+		ipv4Cidrs := []string{"192.168.1.0/24"}
+		ipv6Cidrs := []string{"2001:db8::/32"}
+		remoteConfig := v1API.NetworkRestrictionsResponse{
+			Config: struct {
+				DbAllowedCidrs   *[]string `json:"dbAllowedCidrs,omitempty"`
+				DbAllowedCidrsV6 *[]string `json:"dbAllowedCidrsV6,omitempty"`
+			}{
+				DbAllowedCidrs:   &ipv4Cidrs,
+				DbAllowedCidrsV6: &ipv6Cidrs,
+			},
+		}
+		diff, err := local.DiffWithRemote(remoteConfig)
+		assert.NoError(t, err)
+		assert.Empty(t, diff)
+	})
+}
diff --git a/pkg/config/templates/config.toml b/pkg/config/templates/config.toml
@@ -59,6 +59,14 @@ enabled = true
 # Supports glob patterns relative to supabase directory: "./seeds/*.sql"
 sql_paths = ["./seed.sql"]
 
+[db.network_restrictions]
+# List of IPv4 CIDR blocks allowed to connect to the database.
+# Use "0.0.0.0/0" to allow all IPv4 connections.
+db_allowed_cidrs = []
+# List of IPv6 CIDR blocks allowed to connect to the database.
+# Use "::/0" to allow all IPv6 connections.
+db_allowed_cidrs_v6 = []
+
 [realtime]
 enabled = true
 # Bind realtime via either IPv4 or IPv6. (default: IPv4)
diff --git a/pkg/config/updater.go b/pkg/config/updater.go
@@ -97,6 +97,38 @@ func (u *ConfigUpdater) UpdateDbConfig(ctx context.Context, projectRef string, c
 	if err := u.UpdateDbSettingsConfig(ctx, projectRef, c.Settings, filter...); err != nil {
 		return err
 	}
+	if err := u.UpdateDbNetworkRestrictionsConfig(ctx, projectRef, c.NetworkRestrictions, filter...); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (u *ConfigUpdater) UpdateDbNetworkRestrictionsConfig(ctx context.Context, projectRef string, n networkRestrictions, filter ...func(string) bool) error {
+	networkRestrictionsConfig, err := u.client.V1GetNetworkRestrictionsWithResponse(ctx, projectRef)
+	if err != nil {
+		return errors.Errorf("failed to read network restrictions config: %w", err)
+	} else if networkRestrictionsConfig.JSON200 == nil {
+		return errors.Errorf("unexpected status %d: %s", networkRestrictionsConfig.StatusCode(), string(networkRestrictionsConfig.Body))
+	}
+	networkRestrictionsDiff, err := n.DiffWithRemote(*networkRestrictionsConfig.JSON200)
+	if err != nil {
+		return err
+	} else if len(networkRestrictionsDiff) == 0 {
+		fmt.Fprintln(os.Stderr, "Remote network restrictions config is up to date.")
+		return nil
+	}
+	fmt.Fprintln(os.Stderr, "Updating network restrictions with config:", string(networkRestrictionsDiff))
+	for _, keep := range filter {
+		if !keep("db") {
+			return nil
+		}
+	}
+	updateBody := n.ToUpdateNetworkRestrictionsBody()
+	if resp, err := u.client.V1UpdateNetworkRestrictionsWithResponse(ctx, projectRef, updateBody); err != nil {
+		return errors.Errorf("failed to update network restrictions config: %w", err)
+	} else if resp.JSON201 == nil {
+		return errors.Errorf("unexpected status %d: %s", resp.StatusCode(), string(resp.Body))
+	}
 	return nil
 }
 
