Merge #139799 #140045 #140073 #140083 #140100

139799: roachtest: fix unsortedMatricesDiffWithFloatComp helper r=yuzefovich a=yuzefovich

`unsortedMatricesDiffWithFloatComp` has a special logic for handling float and decimal arrays, and it figures out whether that logic is applicable based on the stringified type name. Previously, we would only match strings like `[]FLOAT4` for that, but lib/pq library returns `_FLOAT4` as the name for that array, so we would previously not apply the special logic in some cases, which would lead to spurious failures. This is now fixed.

Fixes: #139727.

Release note: None

140045: crosscluster: extra priv tests r=msbutler a=msbutler

This patch adds further e2e privilege tests for LDR and PCR

Epic: none

Release note: none

140073: deps: upgrade github.com/jackc/pgx to v4.18.3 r=spilchen a=emnet-crl

This PR upgrades the `jackc/pgx` library to v4.18.2. The previous version of the library was susceptible to an SQL injection vulnerability per [GO-2024-2606](1).


Fixes: CRDB-46987

Release note: None

[1]: https://pkg.go.dev/vuln/GO-2024-2606

140083: sql/opt: build CTEs for SQL expressions embedded in PL/pgSQL r=yuzefovich,mgartner a=DrewKimball

This commit fixes an oversight from when we introduced support for CTEs within routies. Namely, SQL expressions can contain subqueries, which in turn can contain CTEs. The logic for building a SQL *statement* within a PL/pgSQL routine correctly handles CTEs by building them into the constructed `RelExpr`. The logic for SQL *expressions` was previously missing the same.

To fix this issue, `plpgsqlBuilder.buildSQLExpr` now checks if the built scalar expression contained any CTEs. If it did, the scalar is wrapped in the built CTEs, which are in turn wrapped in a subquery, which is returned as the final scalar result. This prevents issues where the CTEs are built at an outer scope, which can produce invalid plans.

Fixes #138273

Release note (bug fix): Fixed a bug existing only in pre-release versions of v25.1. The bug could cause creation of a PL/pgSQL routine with a CTE to fail with an error like the following: `unexpected root expression: with`.

140100: authors: add Abhinav Gupta to authors r=Abhinav1299 a=Abhinav1299

Epic: None
Release note: None

Co-authored-by: Yahor Yuzefovich <[email protected]>
Co-authored-by: Michael Butler <[email protected]>
Co-authored-by: Emnet Gossaye <[email protected]>
Co-authored-by: Drew Kimball <[email protected]>
Co-authored-by: Abhinav1299 <[email protected]>

Author: 6 people

AUTHORS

@@ -26,6 +26,7 @@ Aayush Shah <[email protected]> <@cockroachlabs.com>
 Abbey Russell <[email protected]> Abigail Russell <[email protected]> <[email protected]>
 Abby Hersh <[email protected]>
 Abhinav Garg <[email protected]>
+Abhinav Gupta <[email protected]> <[email protected]>
 Abhishek Kedia <[email protected]>
 Abhishek Madan <[email protected]> <[email protected]> <[email protected]> Abhemailk [email protected] <[email protected]>
 Abhishek Saha <[email protected]> AbhishekSaha <[email protected]>

DEPS.bzl

@@ -5235,10 +5235,10 @@ def go_deps():
         name = "com_github_jackc_pgx_v4",
         build_file_proto_mode = "disable_global",
         importpath = "github.com/jackc/pgx/v4",
-        sha256 = "5ca92c5bf58979d9e978f6b849e02eb319d2587565375fe875a29d10d84cfadc",
-        strip_prefix = "github.com/jackc/pgx/[email protected].1",
+        sha256 = "1d5955dc65b8de8f72f9856865b33dcd9a2238f7cf9b1f2a00f1558e7d4965da",
+        strip_prefix = "github.com/jackc/pgx/[email protected].3",
         urls = [
-            "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/jackc/pgx/v4/com_github_jackc_pgx_v4-v4.18.1.zip",
+            "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/jackc/pgx/v4/com_github_jackc_pgx_v4-v4.18.3.zip",
         ],
     )
     go_repository(

build/bazelutil/distdir_files.bzl

@@ -684,7 +684,7 @@ DISTDIR_FILES = {
     "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/jackc/pgproto3/v2/com_github_jackc_pgproto3_v2-v2.3.3.zip": "53ea236cbfe241693b439092e2d51b404c2a635ee3fe64ea7aad1527cb715189",
     "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/jackc/pgservicefile/com_github_jackc_pgservicefile-v0.0.0-20221227161230-091c0ba34f0a.zip": "1f8bdf75b2a0d750e56c2a94b1d1b0b5be4b29d6df056aebd997162c29bfd8ab",
     "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/jackc/pgtype/com_github_jackc_pgtype-v1.14.1.zip": "3acb69a66e7e432c010d503425810620d04c304166c45083fa8a96feca13054d",
-    "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/jackc/pgx/v4/com_github_jackc_pgx_v4-v4.18.1.zip": "5ca92c5bf58979d9e978f6b849e02eb319d2587565375fe875a29d10d84cfadc",
+    "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/jackc/pgx/v4/com_github_jackc_pgx_v4-v4.18.3.zip": "1d5955dc65b8de8f72f9856865b33dcd9a2238f7cf9b1f2a00f1558e7d4965da",
     "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/jackc/pgx/v5/com_github_jackc_pgx_v5-v5.5.5.zip": "221749d6187aaeeb14097a41f2510689eaf35245ef77d243a1f69dc23605d2a2",
     "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/jackc/puddle/com_github_jackc_puddle-v1.3.0.zip": "b1eb42bb3cf9a430146af79cb183860b9dddfca51844c2d4b447dc2f43becc55",
     "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/jackc/puddle/v2/com_github_jackc_puddle_v2-v2.2.1.zip": "6698895617fabb929fa1ac868ad5253e02a997888bf5c6004379c5b29eedee58",

go.mod

@@ -84,7 +84,7 @@ require (
 	github.com/jackc/pgproto3/v2 v2.3.3
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
 	github.com/jackc/pgtype v1.14.1
-	github.com/jackc/pgx/v4 v4.18.1
+	github.com/jackc/pgx/v4 v4.18.3
 )
 
 require (

go.sum

@@ -1460,7 +1460,6 @@ github.com/jackc/pgconn v0.0.0-20190831204454-2fabfa3c18b7/go.mod h1:ZJKsE/KZfsU
 github.com/jackc/pgconn v1.8.0/go.mod h1:1C2Pb36bGIP9QHGBYCjnyhqu7Rv3sGshaQUvmfGIB/o=
 github.com/jackc/pgconn v1.9.0/go.mod h1:YctiPyvzfU11JFxoXokUOOKQXQmDMoJL9vJzHH8/2JY=
 github.com/jackc/pgconn v1.9.1-0.20210724152538-d89c8390a530/go.mod h1:4z2w8XhRbP1hYxkpTuBjTS3ne3J48K83+u0zoyvg2pI=
-github.com/jackc/pgconn v1.14.0/go.mod h1:9mBNlny0UvkgJdCDvdVHYSjI+8tD2rnKK69Wz8ti++E=
 github.com/jackc/pgconn v1.14.3 h1:bVoTr12EGANZz66nZPkMInAV/KHD2TxH9npjXXgiB3w=
 github.com/jackc/pgconn v1.14.3/go.mod h1:RZbme4uasqzybK2RK5c65VsHxoyaml09lx3tXOcO/VM=
 github.com/jackc/pgio v1.0.0 h1:g12B9UwVnzGhueNavwioyEEpAmqMe1E/BN9ES+8ovkE=
@@ -1478,7 +1477,6 @@ github.com/jackc/pgproto3/v2 v2.0.0-rc3/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvW
 github.com/jackc/pgproto3/v2 v2.0.0-rc3.0.20190831210041-4c03ce451f29/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
 github.com/jackc/pgproto3/v2 v2.0.6/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
 github.com/jackc/pgproto3/v2 v2.1.1/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgproto3/v2 v2.3.2/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
 github.com/jackc/pgproto3/v2 v2.3.3 h1:1HLSx5H+tXR9pW3in3zaztoEwQYRC9SQaYUHjTSUOag=
 github.com/jackc/pgproto3/v2 v2.3.3/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
 github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E=
@@ -1488,21 +1486,19 @@ github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01C
 github.com/jackc/pgtype v0.0.0-20190824184912-ab885b375b90/go.mod h1:KcahbBH1nCMSo2DXpzsoWOAfFkdEtEJpPbVLq8eE+mc=
 github.com/jackc/pgtype v0.0.0-20190828014616-a8802b16cc59/go.mod h1:MWlu30kVJrUS8lot6TQqcg7mtthZ9T0EoIBFiJcmcyw=
 github.com/jackc/pgtype v1.8.1-0.20210724151600-32e20a603178/go.mod h1:C516IlIV9NKqfsMCXTdChteoXmwgUceqaLfjg2e3NlM=
-github.com/jackc/pgtype v1.14.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
 github.com/jackc/pgtype v1.14.1 h1:LyDar7M2K0tShCWqzJ/ctzF1QC3Wzc9c8a6cHE0PFdc=
 github.com/jackc/pgtype v1.14.1/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
 github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08CZQyj1PVQBHy9XOp5p8/SHH6a0psbY9Y=
 github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM=
 github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc=
 github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs=
-github.com/jackc/pgx/v4 v4.18.1 h1:YP7G1KABtKpB5IHrO9vYwSrCOhs7p3uqhvhhQBptya0=
-github.com/jackc/pgx/v4 v4.18.1/go.mod h1:FydWkUyadDmdNH/mHnGob881GawxeEm7TcMCzkb+qQE=
+github.com/jackc/pgx/v4 v4.18.3 h1:dE2/TrEsGX3RBprb3qryqSV9Y60iZN1C6i8IrmW9/BA=
+github.com/jackc/pgx/v4 v4.18.3/go.mod h1:Ey4Oru5tH5sB6tV7hDmfWFahwF15Eb7DNXlRKx2CkVw=
 github.com/jackc/pgx/v5 v5.5.5 h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw=
 github.com/jackc/pgx/v5 v5.5.5/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A=
 github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v1.3.0/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
 github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jaegertracing/jaeger v1.18.1 h1:eFqjEpTKq2FfiZ/YX53oxeCePdIZyWvDfXaTAGj0r5E=

pkg/cmd/roachtest/tests/query_comparison_util.go

@@ -611,13 +611,30 @@ func joinAndSortRows(rowMatrix1, rowMatrix2 [][]string, sep string) (rows1, rows
 	return rows1, rows2
 }
 
+func isFloatArray(colType string) bool {
+	switch colType {
+	case "[]FLOAT4", "[]FLOAT8", "_FLOAT4", "_FLOAT8":
+		return true
+	default:
+		return false
+	}
+}
+
+func isDecimalArray(colType string) bool {
+	switch colType {
+	case "[]DECIMAL", "_DECIMAL":
+		return true
+	default:
+		return false
+	}
+}
+
 func needApproximateMatch(colType string) bool {
 	// On s390x, check that values for both float and decimal coltypes are
 	// approximately equal to take into account platform differences in floating
 	// point calculations. On other architectures, check float values only.
-	return (runtime.GOARCH == "s390x" && (colType == "DECIMAL" || colType == "[]DECIMAL")) ||
-		colType == "FLOAT4" || colType == "[]FLOAT4" ||
-		colType == "FLOAT8" || colType == "[]FLOAT8"
+	return (runtime.GOARCH == "s390x" && (colType == "DECIMAL" || isDecimalArray(colType))) ||
+		colType == "FLOAT4" || colType == "FLOAT8" || isFloatArray(colType)
 }
 
 // sortRowsWithFloatComp is similar to joinAndSortRows, but it uses float
@@ -627,7 +644,7 @@ func sortRowsWithFloatComp(rowMatrix1, rowMatrix2 [][]string, colTypes []string)
 		for idx := range colTypes {
 			if needApproximateMatch(colTypes[idx]) {
 				cmpFn := floatcmp.FloatsCmp
-				if strings.HasPrefix(colTypes[idx], "[]") {
+				if isFloatArray(colTypes[idx]) || isDecimalArray(colTypes[idx]) {
 					cmpFn = floatcmp.FloatArraysCmp
 				}
 				res, err := cmpFn(rowMatrix[i][idx], rowMatrix[j][idx])
@@ -697,7 +714,7 @@ func unsortedMatricesDiffWithFloatComp(
 	}
 	var needCustomMatch bool
 	for _, colType := range colTypes {
-		if needApproximateMatch(colType) || colType == "DECIMAL" || colType == "[]DECIMAL" {
+		if needApproximateMatch(colType) || colType == "DECIMAL" || isDecimalArray(colType) {
 			needCustomMatch = true
 			break
 		}
@@ -712,13 +729,14 @@ func unsortedMatricesDiffWithFloatComp(
 
 		for j, colType := range colTypes {
 			if needApproximateMatch(colType) {
+				isFloatOrDecimalArray := isFloatArray(colType) || isDecimalArray(colType)
 				cmpFn := floatcmp.FloatsMatch
 				switch {
-				case runtime.GOARCH == "s390x" && strings.HasPrefix(colType, "[]"):
+				case runtime.GOARCH == "s390x" && isFloatOrDecimalArray:
 					cmpFn = floatcmp.FloatArraysMatchApprox
-				case runtime.GOARCH == "s390x" && !strings.HasPrefix(colType, "[]"):
+				case runtime.GOARCH == "s390x" && !isFloatOrDecimalArray:
 					cmpFn = floatcmp.FloatsMatchApprox
-				case strings.HasPrefix(colType, "[]"):
+				case isFloatOrDecimalArray:
 					cmpFn = floatcmp.FloatArraysMatch
 				}
 				match, err := cmpFn(row1[j], row2[j])
@@ -729,12 +747,12 @@ func unsortedMatricesDiffWithFloatComp(
 					return result, nil
 				}
 			} else {
-				switch colType {
-				case "DECIMAL":
+				switch {
+				case colType == "DECIMAL":
 					// For decimals, remove any trailing zeroes.
 					row1[j] = trimDecimalTrailingZeroes(row1[j])
 					row2[j] = trimDecimalTrailingZeroes(row2[j])
-				case "[]DECIMAL":
+				case isDecimalArray(colType):
 					// For decimal arrays, remove any trailing zeroes from each
 					// decimal.
 					row1[j] = trimDecimalsTrailingZeroesInArray(row1[j])

pkg/cmd/roachtest/tests/query_comparison_util_test.go

@@ -148,6 +148,14 @@ func TestUnsortedMatricesDiff(t *testing.T) {
 			exactMatch:  false,
 			approxMatch: true,
 		},
+		{
+			name:        "multi row 0 in array matches -0 in array, lib/pq type name",
+			colTypes:    []string{"_FLOAT4"}, // this is how []FLOAT4 is named in lib/pq driver
+			t1:          [][]string{{"NULL"}, {"{-1}"}, {"{-0}"}, {"{0}"}, {"{NaN}"}},
+			t2:          [][]string{{"NULL"}, {"{-1}"}, {"{0}"}, {"{0}"}, {"{NaN}"}},
+			exactMatch:  false,
+			approxMatch: true,
+		},
 	}
 	for _, tc := range tcs {
 		t.Run(tc.name, func(t *testing.T) {

pkg/crosscluster/logical/logical_replication_job_test.go

@@ -1953,7 +1953,7 @@ func TestUserPrivileges(t *testing.T) {
 		},
 	}
 
-	server, s, dbA, _ := setupLogicalTestServer(t, ctx, clusterArgs, 1)
+	server, s, dbA, dbB := setupLogicalTestServer(t, ctx, clusterArgs, 1)
 	defer server.Stopper().Stop(ctx)
 
 	dbBURL := replicationtestutils.GetExternalConnectionURI(t, s, s, serverutils.DBName("b"))
@@ -1966,7 +1966,8 @@ func TestUserPrivileges(t *testing.T) {
 	testuser2 := sqlutils.MakeSQLRunner(s.SQLConn(t, serverutils.User(username.TestUser+"2"), serverutils.DBName("a")))
 
 	var jobAID jobspb.JobID
-	testuser2.QueryRow(t, "CREATE LOGICAL REPLICATION STREAM FROM TABLE tab ON $1 INTO TABLE tab", dbBURL.String()).Scan(&jobAID)
+	createStmt := "CREATE LOGICAL REPLICATION STREAM FROM TABLE tab ON $1 INTO TABLE tab"
+	testuser2.QueryRow(t, createStmt, dbBURL.String()).Scan(&jobAID)
 
 	t.Run("view-control-job", func(t *testing.T) {
 		showJobStmt := "select job_id from [SHOW JOBS] where job_id=$1"
@@ -2006,11 +2007,17 @@ func TestUserPrivileges(t *testing.T) {
 		testuser.Exec(t, fmt.Sprintf(testingUDFAcceptProposedBaseWithSchema, "testschema", "tab"))
 	})
 
-	t.Run("replication", func(t *testing.T) {
-		createWithUDFStmt := "CREATE LOGICAL REPLICATION STREAM FROM TABLE tab ON $1 INTO TABLE tab WITH DEFAULT FUNCTION = 'testschema.repl_apply'"
-		testuser.ExpectErr(t, "user testuser does not have REPLICATION system privilege", createWithUDFStmt, dbBURL.String())
+	t.Run("replication-dest", func(t *testing.T) {
+		testuser.ExpectErr(t, "user testuser does not have REPLICATION system privilege", createStmt, dbBURL.String())
 		dbA.Exec(t, fmt.Sprintf("GRANT SYSTEM REPLICATION TO %s", username.TestUser))
-		testuser.QueryRow(t, createWithUDFStmt, dbBURL.String()).Scan(&jobAID)
+		testuser.QueryRow(t, createStmt, dbBURL.String()).Scan(&jobAID)
+	})
+	t.Run("replication-src", func(t *testing.T) {
+		dbB.Exec(t, "CREATE USER testuser3")
+		dbBURL2 := replicationtestutils.GetExternalConnectionURI(t, s, s, serverutils.DBName("b"), serverutils.User(username.TestUser+"3"))
+		testuser.ExpectErr(t, "user testuser3 does not have REPLICATION system privilege", createStmt, dbBURL2.String())
+		dbB.Exec(t, fmt.Sprintf("GRANT SYSTEM REPLICATION TO %s", username.TestUser+"3"))
+		testuser.QueryRow(t, createStmt, dbBURL2.String()).Scan(&jobAID)
 	})
 }
 

pkg/crosscluster/physical/replication_stream_e2e_test.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"sync/atomic"
 	"testing"
 	"time"
@@ -25,6 +26,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/kv/kvserver/protectedts"
 	"github.com/cockroachdb/cockroach/pkg/kv/kvserver/protectedts/ptpb"
 	"github.com/cockroachdb/cockroach/pkg/roachpb"
+	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/server/telemetry"
 	"github.com/cockroachdb/cockroach/pkg/sql"
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/descs"
@@ -50,6 +52,35 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func TestPCRPrivs(t *testing.T) {
+	defer leaktest.AfterTest(t)()
+	defer log.Scope(t).Close(t)
+
+	ctx := context.Background()
+	args := replicationtestutils.DefaultTenantStreamingClustersArgs
+	c, cleanup := replicationtestutils.CreateTenantStreamingClusters(ctx, t, args)
+	defer cleanup()
+
+	c.DestSysSQL.Exec(t, fmt.Sprintf("CREATE USER %s", username.TestUser))
+	c.SrcSysSQL.Exec(t, fmt.Sprintf("CREATE USER %s", username.TestUser+"2"))
+	testuser := sqlutils.MakeSQLRunner(c.DestSysServer.SQLConn(t, serverutils.User(username.TestUser)))
+	srcURL, cleanupSinkCert := sqlutils.PGUrl(t, c.SrcSysServer.AdvSQLAddr(), t.Name(), url.User(username.TestUser+"2"))
+	defer cleanupSinkCert()
+
+	streamReplStmt := fmt.Sprintf("CREATE TENANT %s FROM REPLICATION OF %s ON '%s'",
+		c.Args.DestTenantName,
+		c.Args.SrcTenantName,
+		srcURL.String())
+
+	testuser.ExpectErr(t, "user testuser does not have MANAGEVIRTUALCLUSTER system privilege", streamReplStmt)
+
+	c.DestSysSQL.Exec(t, fmt.Sprintf("GRANT SYSTEM MANAGEVIRTUALCLUSTER TO %s", username.TestUser))
+	testuser.ExpectErr(t, "user testuser2 does not have REPLICATION system privilege", streamReplStmt)
+
+	c.SrcSysSQL.Exec(t, fmt.Sprintf("GRANT SYSTEM REPLICATION TO %s", username.TestUser+"2"))
+	c.DestSysSQL.Exec(t, streamReplStmt)
+
+}
 func TestTenantStreamingProducerJobTimedOut(t *testing.T) {
 	defer leaktest.AfterTest(t)()
 	defer log.Scope(t).Close(t)

pkg/sql/logictest/testdata/logic_test/udf_cte

@@ -121,3 +121,42 @@ query T
 SELECT f();
 ----
 {10,20,30,40}
+
+subtest regression_138273
+
+statement ok
+CREATE SEQUENCE seq_1;
+
+# Verify that the function can be successfully created with a CTE inside a
+# scalar expression.
+statement ok
+CREATE FUNCTION f138273_1() RETURNS TIMESTAMP LANGUAGE PLpgSQL AS $$
+  DECLARE
+    decl TIMESTAMP;
+  BEGIN
+    WHILE false LOOP
+      IF true THEN
+      ELSIF EXISTS (WITH cte(col) AS (SELECT * FROM (VALUES (currval('seq_1'))) AS foo) SELECT 1 FROM cte) THEN
+        RETURN decl;
+      END IF;
+    END LOOP;
+  END;
+$$;
+
+# Test a similar function that actually executes the CTE.
+statement ok
+CREATE FUNCTION f138273_2() RETURNS INT LANGUAGE PLpgSQL AS $$
+  BEGIN
+    SELECT nextval('seq_1');
+    WHILE EXISTS (WITH cte(col) AS (SELECT * FROM (VALUES (currval('seq_1'))) AS foo) SELECT 1 FROM cte) LOOP
+      RETURN currval('seq_1');
+    END LOOP;
+  END;
+$$;
+
+query I
+SELECT f138273_2();
+----
+1
+
+subtest end

pkg/sql/opt/optbuilder/create_trigger.go

@@ -179,6 +179,15 @@ func (b *Builder) buildFunctionForTrigger(
 
 	// The trigger function can reference the NEW and OLD transition relations,
 	// aliased in the trigger definition.
+	if len(ct.Transitions) > 0 {
+		// Save the existing CTEs in the builder and restore them after the function
+		// body is built.
+		prevCTEs := b.ctes
+		b.ctes = nil
+		defer func() {
+			b.ctes = prevCTEs
+		}()
+	}
 	for _, transition := range ct.Transitions {
 		// Build a fake relational expression with a column corresponding to each
 		// column from the table.
@@ -203,12 +212,6 @@ func (b *Builder) buildFunctionForTrigger(
 		funcScope.ctes[string(transition.Name)] = cte
 		b.addCTE(cte)
 	}
-	if len(ct.Transitions) > 0 {
-		defer func() {
-			// Reset the CTEs in the builder after the function body is built.
-			b.ctes = nil
-		}()
-	}
 
 	// The trigger function takes a set of implicitly-defined parameters, two of
 	// which are determined by the table's record type. Add them to the trigger

pkg/sql/opt/optbuilder/plpgsql.go

@@ -2201,13 +2201,34 @@ func (b *plpgsqlBuilder) buildSQLExpr(expr ast.Expr, typ *types.T, s *scope) opt
 		// For lazy SQL evaluation, replace all expressions with NULL.
 		return memo.NullSingleton
 	}
+	// Save any outer CTEs before building the expression, which may have
+	// subqueries with inner CTEs.
+	prevCTEs := b.ob.ctes
+	b.ob.ctes = nil
+	defer func() {
+		b.ob.ctes = prevCTEs
+	}()
 	expr, _ = tree.WalkExpr(s, expr)
 	typedExpr, err := expr.TypeCheck(b.ob.ctx, b.ob.semaCtx, typ)
 	if err != nil {
 		panic(err)
 	}
 	scalar := b.ob.buildScalar(typedExpr, s, nil, nil, b.colRefs)
-	return b.coerceType(scalar, typ)
+	scalar = b.coerceType(scalar, typ)
+	if len(b.ob.ctes) == 0 {
+		return scalar
+	}
+	// There was at least one CTE within the scalar expression. It is possible to
+	// "hoist" them above this point, but building them eagerly here means that
+	// callers don't have to worry about CTE handling.
+	f := b.ob.factory
+	valuesCol := f.Metadata().AddColumn("", scalar.DataType())
+	valuesExpr := f.ConstructValues(
+		memo.ScalarListExpr{f.ConstructTuple(memo.ScalarListExpr{scalar}, scalar.DataType())},
+		&memo.ValuesPrivate{Cols: opt.ColList{valuesCol}, ID: f.Metadata().NextUniqueID()},
+	)
+	withExpr := b.ob.buildWiths(valuesExpr, b.ob.ctes)
+	return f.ConstructSubquery(withExpr, &memo.SubqueryPrivate{})
 }
 
 // buildSQLStatement type-checks and builds the given SQL statement into a