19497490251

Committed 19 Nov 2025 10:07AM UTC coverage: 55.082% (+0.006%) from 55.076%

Build # 19497490251

Build Type

Pull #4420

github

Committed by

web-flow

Commit Message

Merge 7439d428c into 28425f504

Pull Request Pull Request #4420: feat: support append mode when updating network restrictions

Run Details

25 of 38 new or added lines in 3 files covered. (65.79%)

57 existing lines in 3 files now uncovered.

6530 of 11855 relevant lines covered (55.08%)

6.26 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

84.13

/internal/restrictions/update/update.go

package update

import (
        "context"
        "fmt"
        "net"

        "github.com/go-errors/errors"
        "github.com/supabase/cli/internal/utils"
        "github.com/supabase/cli/pkg/api"
)

// Run updates the network restriction lists using the provided CIDRs.
func Run(ctx context.Context, projectRef string, dbCidrsToAllow []string, bypassCidrChecks bool, appendMode bool) error {
        // 1. separate CIDR to v4 and v6
        body := api.V1UpdateNetworkRestrictionsJSONRequestBody{
                DbAllowedCidrs:   &[]string{},
                DbAllowedCidrsV6: &[]string{},
        }
        for _, cidr := range dbCidrsToAllow {
                ip, _, err := net.ParseCIDR(cidr)
                if err != nil {
                        return errors.Errorf("failed to parse IP: %s", cidr)
                }
                if ip.IsPrivate() && !bypassCidrChecks {
                        return errors.Errorf("private IP provided: %s", cidr)
                }
                if ip.To4() != nil {
                        *body.DbAllowedCidrs = append(*body.DbAllowedCidrs, cidr)
                } else {
                        *body.DbAllowedCidrsV6 = append(*body.DbAllowedCidrsV6, cidr)
                }
        }

        if appendMode {
                return ApplyPatch(ctx, projectRef, body)
        }

        // 2. update restrictions
        resp, err := utils.GetSupabase().V1UpdateNetworkRestrictionsWithResponse(ctx, projectRef, body)
        if err != nil {
                return errors.Errorf("failed to apply network restrictions: %w", err)
        }
        if resp.JSON201 == nil {
                return errors.New("failed to apply network restrictions: " + string(resp.Body))
        }

        fmt.Printf("DB Allowed IPv4 CIDRs: %+v\n", resp.JSON201.Config.DbAllowedCidrs)
        fmt.Printf("DB Allowed IPv6 CIDRs: %+v\n", resp.JSON201.Config.DbAllowedCidrsV6)
        fmt.Printf("Restrictions applied successfully: %+v\n", resp.JSON201.Status == api.NetworkRestrictionsResponseStatusApplied)
        return nil
}

// ApplyPatch submits a network restriction payload using PATCH (add/remove mode).
func ApplyPatch(ctx context.Context, projectRef string, body api.V1UpdateNetworkRestrictionsJSONRequestBody) error {
        patchBody := api.V1PatchNetworkRestrictionsJSONRequestBody{
                Add: &struct {
                        DbAllowedCidrs   *[]string `json:"dbAllowedCidrs,omitempty"`
                        DbAllowedCidrsV6 *[]string `json:"dbAllowedCidrsV6,omitempty"`
                }{
                        DbAllowedCidrs:   body.DbAllowedCidrs,
                        DbAllowedCidrsV6: body.DbAllowedCidrsV6,
                },
        }

        resp, err := utils.GetSupabase().V1PatchNetworkRestrictionsWithResponse(ctx, projectRef, patchBody)
        if err != nil {
                return errors.Errorf("failed to apply network restrictions: %w", err)
        }
        if resp.JSON200 == nil {
                return errors.New("failed to apply network restrictions: " + string(resp.Body))
        }

        var allowedIPv4, allowedIPv6 []string
        if allowed := resp.JSON200.Config.DbAllowedCidrs; allowed != nil {
                for _, cidr := range *allowed {
                        switch cidr.Type {
                        case api.NetworkRestrictionsV2ResponseConfigDbAllowedCidrsTypeV4:
                                allowedIPv4 = append(allowedIPv4, cidr.Address)
                        case api.NetworkRestrictionsV2ResponseConfigDbAllowedCidrsTypeV6:
                                allowedIPv6 = append(allowedIPv6, cidr.Address)
                        }
                }
        }

        fmt.Printf("DB Allowed IPv4 CIDRs: %+v\n", &allowedIPv4)
        fmt.Printf("DB Allowed IPv6 CIDRs: %+v\n", &allowedIPv6)
        fmt.Printf("Restrictions applied successfully: %+v\n", resp.JSON200.Status == api.NetworkRestrictionsV2ResponseStatusApplied)
        return nil
}

1	package update
2
3	import (
4	"context"
5	"fmt"
6	"net"
7
8	"github.com/go-errors/errors"
9	"github.com/supabase/cli/internal/utils"
10	"github.com/supabase/cli/pkg/api"
11	)
12
13	// Run updates the network restriction lists using the provided CIDRs.
14	func Run(ctx context.Context, projectRef string, dbCidrsToAllow []string, bypassCidrChecks bool, appendMode bool) error {	7✔
15	// 1. separate CIDR to v4 and v6	7✔
16	body := api.V1UpdateNetworkRestrictionsJSONRequestBody{	7✔
17	DbAllowedCidrs: &[]string{},	7✔
18	DbAllowedCidrsV6: &[]string{},	7✔
19	}	7✔
20	for _, cidr := range dbCidrsToAllow {	17✔
21	ip, _, err := net.ParseCIDR(cidr)	10✔
22	if err != nil {	11✔
23	return errors.Errorf("failed to parse IP: %s", cidr)	1✔
24	}	1✔
25	if ip.IsPrivate() && !bypassCidrChecks {	10✔
26	return errors.Errorf("private IP provided: %s", cidr)	1✔
27	}	1✔
28	if ip.To4() != nil {	14✔
29	body.DbAllowedCidrs = append(body.DbAllowedCidrs, cidr)	6✔
30	} else {	8✔
31	body.DbAllowedCidrsV6 = append(body.DbAllowedCidrsV6, cidr)	2✔
32	}	2✔
33	}
34
35	if appendMode {	6✔
36	return ApplyPatch(ctx, projectRef, body)	1✔
37	}	1✔
38
39	// 2. update restrictions
40	resp, err := utils.GetSupabase().V1UpdateNetworkRestrictionsWithResponse(ctx, projectRef, body)	4✔
41	if err != nil {	5✔
42	return errors.Errorf("failed to apply network restrictions: %w", err)	1✔
43	}	1✔
44	if resp.JSON201 == nil {	4✔
45	return errors.New("failed to apply network restrictions: " + string(resp.Body))	1✔
46	}	1✔
47
48	fmt.Printf("DB Allowed IPv4 CIDRs: %+v\n", resp.JSON201.Config.DbAllowedCidrs)	2✔
49	fmt.Printf("DB Allowed IPv6 CIDRs: %+v\n", resp.JSON201.Config.DbAllowedCidrsV6)	2✔
50	fmt.Printf("Restrictions applied successfully: %+v\n", resp.JSON201.Status == api.NetworkRestrictionsResponseStatusApplied)	2✔
51	return nil	2✔
52	}
53
54	// ApplyPatch submits a network restriction payload using PATCH (add/remove mode).
55	func ApplyPatch(ctx context.Context, projectRef string, body api.V1UpdateNetworkRestrictionsJSONRequestBody) error {	1✔
56	patchBody := api.V1PatchNetworkRestrictionsJSONRequestBody{	1✔
57	Add: &struct {	1✔
58	DbAllowedCidrs *[]string `json:"dbAllowedCidrs,omitempty"`	1✔
59	DbAllowedCidrsV6 *[]string `json:"dbAllowedCidrsV6,omitempty"`	1✔
60	}{	1✔
61	DbAllowedCidrs: body.DbAllowedCidrs,	1✔
62	DbAllowedCidrsV6: body.DbAllowedCidrsV6,	1✔
63	},	1✔
64	}	1✔
65		1✔
66	resp, err := utils.GetSupabase().V1PatchNetworkRestrictionsWithResponse(ctx, projectRef, patchBody)	1✔
67	if err != nil {	1✔
NEW 68	return errors.Errorf("failed to apply network restrictions: %w", err)	×
NEW 69	}	×
70	if resp.JSON200 == nil {	1✔
NEW 71	return errors.New("failed to apply network restrictions: " + string(resp.Body))	×
NEW 72	}	×
73
74	var allowedIPv4, allowedIPv6 []string	1✔
75	if allowed := resp.JSON200.Config.DbAllowedCidrs; allowed != nil {	1✔
NEW 76	for _, cidr := range *allowed {	×
NEW 77	switch cidr.Type {	×
NEW 78	case api.NetworkRestrictionsV2ResponseConfigDbAllowedCidrsTypeV4:	×
NEW 79	allowedIPv4 = append(allowedIPv4, cidr.Address)	×
NEW 80	case api.NetworkRestrictionsV2ResponseConfigDbAllowedCidrsTypeV6:	×
NEW 81	allowedIPv6 = append(allowedIPv6, cidr.Address)	×
82	}
83	}
84	}
85
86	fmt.Printf("DB Allowed IPv4 CIDRs: %+v\n", &allowedIPv4)	1✔
87	fmt.Printf("DB Allowed IPv6 CIDRs: %+v\n", &allowedIPv6)	1✔
88	fmt.Printf("Restrictions applied successfully: %+v\n", resp.JSON200.Status == api.NetworkRestrictionsV2ResponseStatusApplied)	1✔
89	return nil	1✔
90	}

supabase / cli / 19497490251

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous