From edaca40d9121d771ac58b535d9bef701548976dd Mon Sep 17 00:00:00 2001
From: Kang Ming <kang.ming1996@gmail.com>
Date: Tue, 22 Apr 2025 23:59:59 +0800
Subject: [PATCH 1/5] chore: add test for pgbouncer.get_auth

---
 nix/tests/expected/pgbouncer.out | 21 ++++++++++++++++++++-
 nix/tests/sql/pgbouncer.sql      | 15 ++++++++++++++-
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/nix/tests/expected/pgbouncer.out b/nix/tests/expected/pgbouncer.out
index 17f2c6293..83845cb52 100644
--- a/nix/tests/expected/pgbouncer.out
+++ b/nix/tests/expected/pgbouncer.out
@@ -58,7 +58,7 @@ SELECT
 FROM pg_proc p 
 JOIN schema_obj s ON s.oid = p.pronamespace 
 CROSS JOIN LATERAL aclexplode(p.proacl) AS acl 
-ORDER BY object_name, grantee, privilege_type; 
+ORDER BY object_name, grantee, privilege_type;
   schema   | object_name |    grantee     | privilege_type 
 -----------+-------------+----------------+----------------
  pgbouncer | get_auth    | pgbouncer      | EXECUTE
@@ -66,3 +66,22 @@ ORDER BY object_name, grantee, privilege_type;
  pgbouncer | get_auth    | supabase_admin | EXECUTE
 (3 rows)
 
+-- Ensure that pgbouncer.get_auth() function does not return an expired password
+create role test_expired_user_password with login password 'expired_password' valid until '2000-01-01 00:00:00+00';
+create role test_valid_user_password with login password 'valid_password' valid until '2100-01-01 00:00:00+00';
+-- Update the pg_authid catalog directly to replace with a known SCRAM hash
+update pg_authid set rolpassword = 'SCRAM-SHA-256$4096:testsaltbase64$storedkeybase64$serverkeybase64' where rolname = 'test_valid_user_password';
+select pgbouncer.get_auth('test_expired_user_password');
+           get_auth            
+-------------------------------
+ (test_expired_user_password,)
+(1 row)
+
+select pgbouncer.get_auth('test_valid_user_password');
+                                           get_auth                                           
+----------------------------------------------------------------------------------------------
+ (test_valid_user_password,SCRAM-SHA-256$4096:testsaltbase64$storedkeybase64$serverkeybase64)
+(1 row)
+
+drop role test_expired_user_password;
+drop role test_valid_user_password;
diff --git a/nix/tests/sql/pgbouncer.sql b/nix/tests/sql/pgbouncer.sql
index 4ddac10e2..e6b56cb6b 100644
--- a/nix/tests/sql/pgbouncer.sql
+++ b/nix/tests/sql/pgbouncer.sql
@@ -50,4 +50,17 @@ SELECT
 FROM pg_proc p 
 JOIN schema_obj s ON s.oid = p.pronamespace 
 CROSS JOIN LATERAL aclexplode(p.proacl) AS acl 
-ORDER BY object_name, grantee, privilege_type; 
+ORDER BY object_name, grantee, privilege_type;
+
+-- Ensure that pgbouncer.get_auth() function does not return an expired password
+create role test_expired_user_password with login password 'expired_password' valid until '2000-01-01 00:00:00+00';
+create role test_valid_user_password with login password 'valid_password' valid until '2100-01-01 00:00:00+00';
+-- Update the pg_authid catalog directly to replace with a known SCRAM hash
+update pg_authid set rolpassword = 'SCRAM-SHA-256$4096:testsaltbase64$storedkeybase64$serverkeybase64' where rolname = 'test_valid_user_password';
+
+select pgbouncer.get_auth('test_expired_user_password');
+
+select pgbouncer.get_auth('test_valid_user_password');
+
+drop role test_expired_user_password;
+drop role test_valid_user_password;

From f670f7d0291a27d0305dfb2d48e3b52b23461771 Mon Sep 17 00:00:00 2001
From: Kang Ming <kang.ming1996@gmail.com>
Date: Wed, 23 Apr 2025 00:39:21 +0800
Subject: [PATCH 2/5] chore: update schema files

---
 migrations/schema-15.sql          | 14 +++++++-------
 migrations/schema-17.sql          | 14 +++++++-------
 migrations/schema-orioledb-17.sql | 14 +++++++-------
 3 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/migrations/schema-15.sql b/migrations/schema-15.sql
index 56390f882..5a38517ba 100644
--- a/migrations/schema-15.sql
+++ b/migrations/schema-15.sql
@@ -495,13 +495,13 @@ begin
     raise debug 'PgBouncer auth request: %', p_usename;
 
     return query
-    select
-        rolname::text,
-        case when rolvaliduntil < now()
-            then null
-            else rolpassword::text
-        end
-    from pg_authid
+    select 
+        rolname::text, 
+        case when rolvaliduntil < now() 
+            then null 
+            else rolpassword::text 
+        end 
+    from pg_authid 
     where rolname=$1 and rolcanlogin;
 end;
 $_$;
diff --git a/migrations/schema-17.sql b/migrations/schema-17.sql
index ed8480733..f120b1b27 100644
--- a/migrations/schema-17.sql
+++ b/migrations/schema-17.sql
@@ -482,13 +482,13 @@ begin
     raise debug 'PgBouncer auth request: %', p_usename;
 
     return query
-    select
-        rolname::text,
-        case when rolvaliduntil < now()
-            then null
-            else rolpassword::text
-        end
-    from pg_authid
+    select 
+        rolname::text, 
+        case when rolvaliduntil < now() 
+            then null 
+            else rolpassword::text 
+        end 
+    from pg_authid 
     where rolname=$1 and rolcanlogin;
 end;
 $_$;
diff --git a/migrations/schema-orioledb-17.sql b/migrations/schema-orioledb-17.sql
index 482cefe88..8c5d32c39 100644
--- a/migrations/schema-orioledb-17.sql
+++ b/migrations/schema-orioledb-17.sql
@@ -496,13 +496,13 @@ begin
     raise debug 'PgBouncer auth request: %', p_usename;
 
     return query
-    select
-        rolname::text,
-        case when rolvaliduntil < now()
-            then null
-            else rolpassword::text
-        end
-    from pg_authid
+    select 
+        rolname::text, 
+        case when rolvaliduntil < now() 
+            then null 
+            else rolpassword::text 
+        end 
+    from pg_authid 
     where rolname=$1 and rolcanlogin;
 end;
 $_$;

From b9596f538549b54dac5f90ae1876a90df6a998fd Mon Sep 17 00:00:00 2001
From: Kang Ming <kang.ming1996@gmail.com>
Date: Wed, 23 Apr 2025 00:55:44 +0800
Subject: [PATCH 3/5] chore: bump ami version for testing

---
 ansible/vars.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ansible/vars.yml b/ansible/vars.yml
index d0251b3dc..0d40276bb 100644
--- a/ansible/vars.yml
+++ b/ansible/vars.yml
@@ -9,9 +9,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.0.1.067-orioledb"
-  postgres17: "17.4.1.017"
-  postgres15: "15.8.1.074"
+  postgresorioledb-17: "17.0.1.068-orioledb-rc-1"
+  postgres17: "17.4.1.018-rc-1"
+  postgres15: "15.8.1.075-rc-1"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"

From 3d9a87fd33badc8e4b97bdcf830cd07138d0b49f Mon Sep 17 00:00:00 2001
From: Kang Ming <kang.ming1996@gmail.com>
Date: Wed, 23 Apr 2025 21:57:22 +0800
Subject: [PATCH 4/5] chore: update postgres version string for testing

---
 ansible/vars.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ansible/vars.yml b/ansible/vars.yml
index 0d40276bb..2d4fe7815 100644
--- a/ansible/vars.yml
+++ b/ansible/vars.yml
@@ -9,9 +9,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.0.1.068-orioledb-rc-1"
-  postgres17: "17.4.1.018-rc-1"
-  postgres15: "15.8.1.075-rc-1"
+  postgresorioledb-17: "17.0.1.069-orioledb-pgbouncer-rc-1"
+  postgres17: "17.4.1.019-pgbouncer-rc-1"
+  postgres15: "15.8.1.076-pgbouncer-rc-1"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"

From 582e24b1ff51176dac85fd5ccea1eac9de941dfa Mon Sep 17 00:00:00 2001
From: Kang Ming <kang.ming1996@gmail.com>
Date: Thu, 24 Apr 2025 01:43:27 +0800
Subject: [PATCH 5/5] chore: bump postgres version strings

---
 ansible/vars.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ansible/vars.yml b/ansible/vars.yml
index 019f19279..735e08923 100644
--- a/ansible/vars.yml
+++ b/ansible/vars.yml
@@ -9,9 +9,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.0.1.068-orioledb"
-  postgres17: "17.4.1.018"
-  postgres15: "15.8.1.075"
+  postgresorioledb-17: "17.0.1.069-orioledb"
+  postgres17: "17.4.1.019"
+  postgres15: "15.8.1.076"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"