feat(gb-9105): schema/table allow/denylist

Author: pimeys

Cargo.lock

@@ -0,0 +1,74 @@
+# Changelog
+
+All notable changes to the Grafbase PostgreSQL CLI tool will be documented in this file.
+
+## [0.3.7] - 2025-05-22
+
+### Added
+- Schema and table filtering with allowlist/denylist options
+  - Added `schema_allowlist` and `schema_denylist` for global schema filtering
+  - Added `table_allowlist` and `table_denylist` for filtering tables within a schema
+  - Denylist takes precedence over allowlist when both are specified
+
+## [0.3.6] - 2025-05-21
+
+### Added
+- Support for `@derive` and `@is` directives in introspection
+- Added ability to define cross-database joins
+
+## [0.3.5] - 2025-05-21
+
+### Fixed
+- Fixed installer URL in documentation
+- Fixed typo in composite-schemas spec URL in postgres-introspection
+
+## [0.3.4] - 2025-05-15
+
+### Changed
+- Improved documentation clarity
+- Removed "you must build" text from documentation
+
+## [0.3.3] - 2025-05-14
+
+### Added
+- Reduced the amount of unused types in introspection output
+- Added more scalar types for PostgreSQL in the introspection library
+
+## [0.3.2] - 2025-05-09
+
+### Added
+- Support for cursor-based pagination in the generated schema
+
+## [0.3.1] - 2025-05-07
+
+### Added
+- Installation script for easier setup of the CLI tool
+
+### Fixed
+- Fixed enable/disable mutations functionality
+- Fixed installation documentation links
+
+## [0.3.0] - 2025-05-07
+
+### Added
+- Support for PostgreSQL views
+- Configuration options for enabling/disabling queries or mutations
+- Added PostgreSQL mTLS validation support
+
+### Fixed
+- Fixed CLI behavior when running without .env and config files
+
+## [0.2.0] - 2025-05-05
+
+### Added
+- Comprehensive README with usage examples
+- Release workflow for CLI binaries
+- Improved command-line interface
+- Support for lookup functionality for federation
+
+## [0.1.0] - 2025-04-04
+
+### Added
+- Initial implementation of the PostgreSQL CLI tool
+- Basic introspection capabilities for PostgreSQL databases
+- GraphQL SDL generation for tables and relationships

cli/postgres/CHANGELOG.md

@@ -1,6 +1,6 @@
 [package]
 name = "grafbase-postgres"
-version = "0.3.6"
+version = "0.3.7"
 edition = "2024"
 license = "Apache-2.0"
 

cli/postgres/Cargo.toml

@@ -127,6 +127,16 @@ enable_mutations = true
 # Defaults to true if you omit this setting.
 enable_queries = true
 
+# Schema allowlist: An array of schema names to include in the introspection.
+# If provided, only schemas in this list will be included.
+# If empty, all schemas will be included (unless in the denylist).
+schema_allowlist = []
+
+# Schema denylist: An array of schema names to exclude from the introspection.
+# Schemas in this list will be excluded even if they appear in the allowlist.
+# This takes precedence over the schema_allowlist.
+schema_denylist = []
+
 # Configure schemas for this database. Key-value from schema name to configuration.
 schemas = {}
 ```
@@ -144,6 +154,16 @@ enable_mutations = true
 # Takes precedence over the global setting. Defaults to true if you omit this setting.
 enable_queries = true
 
+# Table allowlist: An array of table names to include in the introspection.
+# If provided, only tables in this list will be included for this schema.
+# If empty, all tables will be included (unless in the denylist).
+table_allowlist = []
+
+# Table denylist: An array of table names to exclude from the introspection.
+# Tables in this list will be excluded even if they appear in the allowlist.
+# This takes precedence over the table_allowlist.
+table_denylist = []
+
 # Configure views for this schema.
 views = {}
 
@@ -431,6 +451,44 @@ type User @key(fields: "id") {
 }
 ```
 
+### Schema and Table Filtering
+
+You can control which database schemas and tables are included in the introspection process using allowlist and denylist options.
+
+#### Schema Filtering
+
+You can include or exclude specific database schemas using the following options:
+
+- `schema_allowlist`: An array of schema names to include. If provided, only schemas in this list will be included in the introspection.
+- `schema_denylist`: An array of schema names to exclude. Schemas in this list will be excluded from introspection, even if they appear in the allowlist.
+
+```toml
+# Example of schema filtering in config.toml
+extension_url = "https://grafbase.com/extensions/postgres/0.4.7"
+schema_allowlist = ["public", "app"]
+schema_denylist = ["internal"]
+```
+
+#### Table Filtering
+
+Within each schema, you can include or exclude specific tables using these options:
+
+- `table_allowlist`: An array of table names to include. If provided, only tables in this list will be included for that schema.
+- `table_denylist`: An array of table names to exclude. Tables in this list will be excluded, even if they appear in the allowlist.
+
+```toml
+# Example of table filtering in config.toml
+extension_url = "https://grafbase.com/extensions/postgres/0.4.7"
+
+[schemas.public]
+table_allowlist = ["users", "posts"]
+
+[schemas.internal]
+table_denylist = ["audit_logs", "system_metrics"]
+```
+
+When both allowlist and denylist are specified, the denylist takes precedence. For example, if a table is included in both `table_allowlist` and `table_denylist`, it will be excluded from the introspection.
+
 ## License
 
 Apache-2.0

cli/postgres/README.md

@@ -6,7 +6,7 @@ if [[ ${OS:-} = Windows_NT ]]; then
     exit 1
 fi
 
-LATEST_VERSION="0.3.6"
+LATEST_VERSION="0.3.7"
 
 # Reset
 Color_Off=''

cli/postgres/install.sh

@@ -35,6 +35,16 @@ pub struct Config {
     /// Configuration details for each schema within the database, keyed by schema name.
     #[serde(default)]
     pub schemas: BTreeMap<String, SchemaConfig>,
+    /// Optional list of schemas to include in the GraphQL schema.
+    /// If this list is populated, only schemas in this list will be included.
+    /// If empty, all schemas will be included.
+    #[serde(default)]
+    pub schema_allowlist: Vec<String>,
+    /// Optional list of schemas to exclude from the GraphQL schema.
+    /// If this list is populated, schemas in this list will be excluded even if they are in the allowlist.
+    /// This takes precedence over the allowlist.
+    #[serde(default)]
+    pub schema_denylist: Vec<String>,
 }
 
 impl Config {
@@ -84,6 +94,24 @@ impl Config {
                 .unwrap_or(self.enable_queries)
         }
     }
+
+    pub fn is_schema_included(&self, schema: &str) -> bool {
+        !self.schema_denylist.contains(&schema.to_string())
+            && (self.schema_allowlist.is_empty() || self.schema_allowlist.contains(&schema.to_string()))
+    }
+
+    /// Determines whether a table is included in the GraphQL schema based on the configuration.
+    /// A table is included if:
+    /// 1. It's not in the schema's table_denylist
+    /// 2. Either the schema's table_allowlist is empty or the table is in the allowlist
+    pub fn is_table_included(&self, schema: &str, table: &str) -> bool {
+        let Some(schema_config) = self.schemas.get(schema) else {
+            return true;
+        };
+
+        !schema_config.table_denylist.contains(&table.to_string())
+            && (schema_config.table_allowlist.is_empty() || schema_config.table_allowlist.contains(&table.to_string()))
+    }
 }
 
 /// Returns the default database name.
@@ -110,6 +138,16 @@ pub struct SchemaConfig {
     /// Configuration overrides for each table within the schema, keyed by table name.
     #[serde(default)]
     pub tables: BTreeMap<String, TableConfig>,
+    /// Optional list of tables to include in the GraphQL schema.
+    /// If this list is populated, only tables in this list will be included.
+    /// If empty, all tables will be included.
+    #[serde(default)]
+    pub table_allowlist: Vec<String>,
+    /// Optional list of tables to exclude from the GraphQL schema.
+    /// If this list is populated, tables in this list will be excluded even if they are in the allowlist.
+    /// This takes precedence over the allowlist.
+    #[serde(default)]
+    pub table_denylist: Vec<String>,
 }
 
 #[derive(Deserialize, Debug)]

crates/postgres-introspection/src/config.rs

@@ -23,9 +23,9 @@ mod tables;
 pub async fn introspect(conn: &mut sqlx::PgConnection, config: Config) -> anyhow::Result<String> {
     let mut database_definition = DatabaseDefinition::new(config.database_name.clone());
 
-    schemas::introspect_database(conn, &mut database_definition).await?;
+    schemas::introspect_database(conn, &config, &mut database_definition).await?;
     enums::introspect_database(conn, &mut database_definition).await?;
-    tables::introspect_database(conn, &mut database_definition).await?;
+    tables::introspect_database(conn, &config, &mut database_definition).await?;
     columns::introspect_database(conn, &config, &mut database_definition).await?;
     foreign_keys::introspect_database(conn, &config, &mut database_definition).await?;
     keys::introspect_database(conn, &config, &mut database_definition).await?;

crates/postgres-introspection/src/lib.rs

@@ -1,8 +1,11 @@
 use grafbase_database_definition::DatabaseDefinition;
 use sqlx::{PgConnection, Row};
 
+use crate::config::Config;
+
 pub(crate) async fn introspect_database(
     conn: &mut PgConnection,
+    config: &Config,
     database_definition: &mut DatabaseDefinition,
 ) -> anyhow::Result<()> {
     let query = "SELECT nspname AS name FROM pg_namespace WHERE nspname <> ALL ($1) ORDER BY name";
@@ -13,7 +16,11 @@ pub(crate) async fn introspect_database(
         .await?;
 
     for row in rows {
-        database_definition.push_schema(row.get(0));
+        let schema_name: String = row.get(0);
+
+        if config.is_schema_included(&schema_name) {
+            database_definition.push_schema(row.get(0));
+        }
     }
 
     Ok(())

crates/postgres-introspection/src/schemas.rs

@@ -1,8 +1,10 @@
+use crate::config::Config;
 use grafbase_database_definition::{DatabaseDefinition, RelationKind, Table};
 use sqlx::{PgConnection, Row};
 
 pub(crate) async fn introspect_database(
     conn: &mut PgConnection,
+    config: &Config,
     database_definition: &mut DatabaseDefinition,
 ) -> anyhow::Result<()> {
     let query = indoc::indoc! {r#"
@@ -30,7 +32,15 @@ pub(crate) async fn introspect_database(
         .await?;
 
     for row in rows {
-        let Some(schema_id) = database_definition.get_schema_id(row.get(1)) else {
+        let schema_name: String = row.get(1);
+        let table_name: String = row.get(0);
+
+        let Some(schema_id) = database_definition.get_schema_id(&schema_name) else {
+            continue;
+        };
+
+        // Skip tables that are not in the allowlist or are in the denylist
+        if !config.is_table_included(&schema_name, &table_name) {
             continue;
         };
 
@@ -41,7 +51,7 @@ pub(crate) async fn introspect_database(
             _ => unreachable!(),
         };
 
-        let mut table = Table::<String>::new(schema_id, row.get(0), kind, None);
+        let mut table = Table::<String>::new(schema_id, table_name, kind, None);
 
         if let Some(description) = row.get(2) {
             table.set_description(description);

crates/postgres-introspection/src/tables.rs

@@ -0,0 +1,81 @@
+# Changelog
+
+All notable changes to the Postgres extension will be documented in this file.
+
+## [0.4.9] - 2025-05-21
+
+### Fixed
+- Fixed issue with aliases in queries and mutations
+
+## [0.4.8] - 2025-05-21
+
+### Added
+- Support for `@derive` and `@is` directives in introspection
+- Added ability to define cross-database joins
+
+## [0.4.7] - 2025-05-16
+
+### Fixed
+- Fixed typo in composite-schemas spec URL
+- Fixed cursor generation to not generate cursors when not needed
+
+## [0.4.6] - 2025-05-15
+
+### Fixed
+- Fixed naming issue in pagination filters
+- Fixed ordering for next/previous cursors when moving backwards
+- Fixed newlines with long base64 cursors
+- Improved population of hasNextPage and hasPreviousPage
+
+## [0.4.5] - 2025-05-14
+
+### Added
+- Added more scalar types for Postgres
+- Reduced the amount of unused types in introspection
+
+## [0.4.4] - 2025-05-09
+
+### Added
+- Added support for proper cursor-based pagination
+
+## [0.4.3] - 2025-05-07
+
+### Fixed
+- Fixed enable/disable mutations functionality
+
+## [0.4.2] - 2025-05-07
+
+### Fixed
+- Fixed Windows build issues
+
+## [0.4.1] - 2025-05-06
+
+### Added
+- Added PostgreSQL mTLS validation
+
+## [0.4.0] - 2025-05-05
+
+### Added
+- Added support for PostgreSQL views
+- Configuration options for enabling/disabling queries or mutations
+
+## [0.3.0] - 2025-04-28
+
+### Added
+- Added lookup support for federation
+- Improved extension description
+
+## [0.2.0] - 2025-04-25
+
+### Changed
+- Various tweaks for consistency in API design
+
+## [0.1.1] - 2025-04-04
+
+### Added
+- Initial public release with basic functionality
+
+## [0.1.0] - 2025-04-04
+
+### Added
+- Initial implementation of the Postgres extension