feat: add support for privileges and default_privileges in .pgschemaignore (#339)

Add [privileges] and [default_privileges] sections to .pgschemaignore that
filter grants by grantee role name patterns. This allows ignoring privilege
statements for roles that don't exist in the plan database (e.g., production
roles not available in embedded postgres).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: tianzhou

cmd/ignore_integration_test.go

@@ -951,6 +951,181 @@ func verifyDumpOutput(t *testing.T, output string) {
 	}
 }
 
+func TestIgnorePrivileges(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping integration test in short mode")
+	}
+
+	embeddedPG := testutil.SetupPostgres(t)
+	defer embeddedPG.Stop()
+	conn, host, port, dbname, user, password := testutil.ConnectToPostgres(t, embeddedPG)
+	defer conn.Close()
+
+	containerInfo := &struct {
+		Conn     *sql.DB
+		Host     string
+		Port     int
+		DBName   string
+		User     string
+		Password string
+	}{
+		Conn:     conn,
+		Host:     host,
+		Port:     port,
+		DBName:   dbname,
+		User:     user,
+		Password: password,
+	}
+
+	// Create schema with roles and privileges
+	setupSQL := `
+CREATE TABLE users (
+    id SERIAL PRIMARY KEY,
+    name TEXT NOT NULL,
+    email TEXT NOT NULL
+);
+
+CREATE TABLE orders (
+    id SERIAL PRIMARY KEY,
+    user_id INTEGER REFERENCES users(id),
+    total_amount DECIMAL(10,2) NOT NULL
+);
+
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'app_reader') THEN
+        CREATE ROLE app_reader;
+    END IF;
+    IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'deploy_bot') THEN
+        CREATE ROLE deploy_bot;
+    END IF;
+    IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'admin_role') THEN
+        CREATE ROLE admin_role;
+    END IF;
+END $$;
+
+-- Privileges to keep
+GRANT SELECT ON users TO app_reader;
+GRANT SELECT ON orders TO app_reader;
+
+-- Privileges to ignore (deploy_bot)
+GRANT ALL ON users TO deploy_bot;
+GRANT ALL ON orders TO deploy_bot;
+
+-- Privileges to ignore (admin_role)
+GRANT SELECT, INSERT, UPDATE, DELETE ON users TO admin_role;
+
+-- Default privileges to keep
+ALTER DEFAULT PRIVILEGES GRANT SELECT ON TABLES TO app_reader;
+
+-- Default privileges to ignore (deploy_bot)
+ALTER DEFAULT PRIVILEGES GRANT ALL ON TABLES TO deploy_bot;
+`
+	_, err := conn.Exec(setupSQL)
+	if err != nil {
+		t.Fatalf("Failed to create test schema: %v", err)
+	}
+
+	originalWd, err := os.Getwd()
+	if err != nil {
+		t.Fatalf("Failed to get current working directory: %v", err)
+	}
+	defer os.Chdir(originalWd)
+
+	tmpDir := t.TempDir()
+	os.Chdir(tmpDir)
+
+	// Create .pgschemaignore with privileges section
+	ignoreContent := `[privileges]
+patterns = ["deploy_bot", "admin_*"]
+
+[default_privileges]
+patterns = ["deploy_bot"]
+`
+	err = os.WriteFile(".pgschemaignore", []byte(ignoreContent), 0644)
+	if err != nil {
+		t.Fatalf("Failed to create .pgschemaignore: %v", err)
+	}
+
+	t.Run("dump", func(t *testing.T) {
+		output := executeIgnoreDumpCommand(t, containerInfo)
+
+		// Privileges for app_reader should be present
+		if !strings.Contains(output, "app_reader") {
+			t.Error("Dump should include privileges for app_reader")
+		}
+
+		// Privileges for deploy_bot should be ignored
+		if strings.Contains(output, "deploy_bot") {
+			t.Error("Dump should not include privileges for deploy_bot (ignored)")
+		}
+
+		// Privileges for admin_role should be ignored (matches admin_*)
+		if strings.Contains(output, "admin_role") {
+			t.Error("Dump should not include privileges for admin_role (ignored by admin_* pattern)")
+		}
+	})
+
+	t.Run("plan", func(t *testing.T) {
+		// Create schema file that adds new privileges
+		schemaSQL := `
+CREATE TABLE users (
+    id SERIAL PRIMARY KEY,
+    name TEXT NOT NULL,
+    email TEXT NOT NULL
+);
+
+CREATE TABLE orders (
+    id SERIAL PRIMARY KEY,
+    user_id INTEGER REFERENCES users(id),
+    total_amount DECIMAL(10,2) NOT NULL
+);
+
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'app_reader') THEN
+        CREATE ROLE app_reader;
+    END IF;
+    IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'deploy_bot') THEN
+        CREATE ROLE deploy_bot;
+    END IF;
+    IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'admin_role') THEN
+        CREATE ROLE admin_role;
+    END IF;
+END $$;
+
+-- Keep these privileges
+GRANT SELECT ON users TO app_reader;
+GRANT SELECT ON orders TO app_reader;
+
+-- These should be ignored in plan
+GRANT ALL ON users TO deploy_bot;
+GRANT ALL ON orders TO deploy_bot;
+GRANT SELECT, INSERT, UPDATE, DELETE ON users TO admin_role;
+
+-- Default privileges
+ALTER DEFAULT PRIVILEGES GRANT SELECT ON TABLES TO app_reader;
+ALTER DEFAULT PRIVILEGES GRANT ALL ON TABLES TO deploy_bot;
+`
+		schemaFile := "schema_privs.sql"
+		err := os.WriteFile(schemaFile, []byte(schemaSQL), 0644)
+		if err != nil {
+			t.Fatalf("Failed to create schema file: %v", err)
+		}
+		defer os.Remove(schemaFile)
+
+		output := executeIgnorePlanCommand(t, containerInfo, schemaFile)
+
+		// Plan should not contain any changes for ignored roles
+		if strings.Contains(output, "deploy_bot") {
+			t.Error("Plan should not include changes for deploy_bot (ignored)")
+		}
+		if strings.Contains(output, "admin_role") {
+			t.Error("Plan should not include changes for admin_role (ignored)")
+		}
+	})
+}
+
 // verifyPlanOutput checks that plan output excludes ignored objects
 func verifyPlanOutput(t *testing.T, output string) {
 	// Changes that should appear in plan (regular objects)

cmd/util/ignoreloader.go

@@ -28,12 +28,14 @@ func LoadIgnoreFileFromPath(filePath string) (*ir.IgnoreConfig, error) {
 // TomlConfig represents the TOML structure of the .pgschemaignore file
 // This is used for parsing more complex configurations if needed in the future
 type TomlConfig struct {
-	Tables     TableIgnoreConfig     `toml:"tables,omitempty"`
-	Views      ViewIgnoreConfig      `toml:"views,omitempty"`
-	Functions  FunctionIgnoreConfig  `toml:"functions,omitempty"`
-	Procedures ProcedureIgnoreConfig `toml:"procedures,omitempty"`
-	Types      TypeIgnoreConfig      `toml:"types,omitempty"`
-	Sequences  SequenceIgnoreConfig  `toml:"sequences,omitempty"`
+	Tables            TableIgnoreConfig            `toml:"tables,omitempty"`
+	Views             ViewIgnoreConfig             `toml:"views,omitempty"`
+	Functions         FunctionIgnoreConfig         `toml:"functions,omitempty"`
+	Procedures        ProcedureIgnoreConfig        `toml:"procedures,omitempty"`
+	Types             TypeIgnoreConfig             `toml:"types,omitempty"`
+	Sequences         SequenceIgnoreConfig         `toml:"sequences,omitempty"`
+	Privileges        PrivilegeIgnoreConfig        `toml:"privileges,omitempty"`
+	DefaultPrivileges DefaultPrivilegeIgnoreConfig `toml:"default_privileges,omitempty"`
 }
 
 // TableIgnoreConfig represents table-specific ignore configuration
@@ -66,6 +68,18 @@ type SequenceIgnoreConfig struct {
 	Patterns []string `toml:"patterns,omitempty"`
 }
 
+// PrivilegeIgnoreConfig represents privilege-specific ignore configuration
+// Patterns match on grantee role names
+type PrivilegeIgnoreConfig struct {
+	Patterns []string `toml:"patterns,omitempty"`
+}
+
+// DefaultPrivilegeIgnoreConfig represents default privilege-specific ignore configuration
+// Patterns match on grantee role names
+type DefaultPrivilegeIgnoreConfig struct {
+	Patterns []string `toml:"patterns,omitempty"`
+}
+
 // LoadIgnoreFileWithStructure loads the .pgschemaignore file using the structured TOML format
 // and converts it to the simple IgnoreConfig structure
 func LoadIgnoreFileWithStructure() (*ir.IgnoreConfig, error) {
@@ -91,12 +105,14 @@ func LoadIgnoreFileWithStructureFromPath(filePath string) (*ir.IgnoreConfig, err
 
 	// Convert to simple IgnoreConfig structure
 	config := &ir.IgnoreConfig{
-		Tables:     tomlConfig.Tables.Patterns,
-		Views:      tomlConfig.Views.Patterns,
-		Functions:  tomlConfig.Functions.Patterns,
-		Procedures: tomlConfig.Procedures.Patterns,
-		Types:      tomlConfig.Types.Patterns,
-		Sequences:  tomlConfig.Sequences.Patterns,
+		Tables:            tomlConfig.Tables.Patterns,
+		Views:             tomlConfig.Views.Patterns,
+		Functions:         tomlConfig.Functions.Patterns,
+		Procedures:        tomlConfig.Procedures.Patterns,
+		Types:             tomlConfig.Types.Patterns,
+		Sequences:         tomlConfig.Sequences.Patterns,
+		Privileges:        tomlConfig.Privileges.Patterns,
+		DefaultPrivileges: tomlConfig.DefaultPrivileges.Patterns,
 	}
 
 	return config, nil

ir/ignore.go

@@ -7,12 +7,14 @@ import (
 
 // IgnoreConfig represents the configuration for ignoring database objects
 type IgnoreConfig struct {
-	Tables     []string `toml:"tables,omitempty"`
-	Views      []string `toml:"views,omitempty"`
-	Functions  []string `toml:"functions,omitempty"`
-	Procedures []string `toml:"procedures,omitempty"`
-	Types      []string `toml:"types,omitempty"`
-	Sequences  []string `toml:"sequences,omitempty"`
+	Tables            []string `toml:"tables,omitempty"`
+	Views             []string `toml:"views,omitempty"`
+	Functions         []string `toml:"functions,omitempty"`
+	Procedures        []string `toml:"procedures,omitempty"`
+	Types             []string `toml:"types,omitempty"`
+	Sequences         []string `toml:"sequences,omitempty"`
+	Privileges        []string `toml:"privileges,omitempty"`
+	DefaultPrivileges []string `toml:"default_privileges,omitempty"`
 }
 
 // ShouldIgnoreTable checks if a table should be ignored based on the patterns
@@ -63,6 +65,22 @@ func (c *IgnoreConfig) ShouldIgnoreSequence(sequenceName string) bool {
 	return c.shouldIgnore(sequenceName, c.Sequences)
 }
 
+// ShouldIgnorePrivilege checks if a privilege should be ignored based on the grantee role name
+func (c *IgnoreConfig) ShouldIgnorePrivilege(grantee string) bool {
+	if c == nil {
+		return false
+	}
+	return c.shouldIgnore(grantee, c.Privileges)
+}
+
+// ShouldIgnoreDefaultPrivilege checks if a default privilege should be ignored based on the grantee role name
+func (c *IgnoreConfig) ShouldIgnoreDefaultPrivilege(grantee string) bool {
+	if c == nil {
+		return false
+	}
+	return c.shouldIgnore(grantee, c.DefaultPrivileges)
+}
+
 // shouldIgnore checks if a name should be ignored based on the patterns
 // Patterns support wildcards (*) and negation (!)
 // Negation patterns (starting with !) take precedence over inclusion patterns

ir/inspector.go

@@ -2030,6 +2030,11 @@ func (i *Inspector) buildPrivileges(ctx context.Context, schema *IR, targetSchem
 			continue
 		}
 
+		// Skip privileges for ignored grantees
+		if i.ignoreConfig != nil && i.ignoreConfig.ShouldIgnorePrivilege(grantee) {
+			continue
+		}
+
 		// Check for default PUBLIC grants that should be excluded
 		if grantee == "PUBLIC" {
 			if (objectType == "FUNCTION" || objectType == "PROCEDURE") && privilegeType == "EXECUTE" {
@@ -2174,6 +2179,11 @@ func (i *Inspector) buildDefaultPrivileges(ctx context.Context, schema *IR, targ
 			continue
 		}
 
+		// Skip default privileges for ignored grantees
+		if i.ignoreConfig != nil && i.ignoreConfig.ShouldIgnoreDefaultPrivilege(p.Grantee.String) {
+			continue
+		}
+
 		key := privKey{
 			OwnerRole:       p.OwnerRole.String,
 			ObjectType:      p.ObjectType.String,
@@ -2369,6 +2379,11 @@ func (i *Inspector) buildColumnPrivileges(ctx context.Context, schema *IR, targe
 			}
 		}
 
+		// Skip column privileges for ignored grantees
+		if i.ignoreConfig != nil && i.ignoreConfig.ShouldIgnorePrivilege(grantee) {
+			continue
+		}
+
 		key := colPrivKey{
 			TableName:       tableName,
 			Grantee:         grantee,