archtechx/tenancy
1
0
Fork 0
mirror of https://github.com/archtechx/tenancy.git synced 2026-02-05 03:34:03 +00:00
Code Activity

feat: RLS without central user (role) having bypassrls

Browse source
This commit is contained in:
Justin van Elst 2025-01-09 10:49:27 +01:00
parent 43056b1c70
commit 55bc56356f
No known key found for this signature in database
2 changed files with 37 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

18
src/Commands/CreateUserWithRLSPolicies.php
View file

@ -105,11 +105,12 @@ class CreateUserWithRLSPolicies extends Command
$createdPolicies = []; $createdPolicies = [];
foreach ($rlsQueries as $table => $query) { foreach ($rlsQueries as $table => $queries) {
foreach ($queries as $type => $query) {
[$hash, $policyQuery] = $this->hashPolicy($query); [$hash, $policyQuery] = $this->hashPolicy($query);
$expectedName = $table . '_rls_policy_' . $hash; $expectedName = $table .'_'.$type.'_rls_policy_' . $hash;
$tableRLSPolicy = $this->findTableRLSPolicy($table); $tableRLSPolicy = $this->findTableRLSPolicy($table,$type);
$olderPolicyExists = $tableRLSPolicy && $tableRLSPolicy->policyname !== $expectedName; $olderPolicyExists = $tableRLSPolicy && $tableRLSPolicy->policyname !== $expectedName;
// Drop the policy if an outdated version exists // Drop the policy if an outdated version exists
@ -119,7 +120,7 @@ class CreateUserWithRLSPolicies extends Command
if ($tableRLSPolicy && $dropPolicy) { if ($tableRLSPolicy && $dropPolicy) {
DB::statement("DROP POLICY {$tableRLSPolicy->policyname} ON {$table}"); DB::statement("DROP POLICY {$tableRLSPolicy->policyname} ON {$table}");
$this->components->info("RLS policy for table '{$table}' dropped."); $this->components->info("RLS policy for table '{$table}' for '{$type}' dropped.");
} }
// Create RLS policy if the table doesn't have it or if the --force option is used // Create RLS policy if the table doesn't have it or if the --force option is used
@ -132,7 +133,8 @@ class CreateUserWithRLSPolicies extends Command
$createdPolicies[] = $table . " ($hash)"; $createdPolicies[] = $table . " ($hash)";
} else { } else {
$this->components->info("Table '{$table}' already has an up to date RLS policy."); $this->components->info("Table '{$table}' for '{$type}' already has an up to date RLS policy.");
}
} }
} }
@ -143,9 +145,9 @@ class CreateUserWithRLSPolicies extends Command
$this->components->bulletList($createdPolicies); $this->components->bulletList($createdPolicies);
$this->components->success('RLS policies updated successfully.'); $this->components->info('RLS policies updated successfully.');
} else { } else {
$this->components->success('All RLS policies are up to date.'); $this->components->info('All RLS policies are up to date.');
} }
} }
@ -155,7 +157,7 @@ class CreateUserWithRLSPolicies extends Command
return DB::selectOne(<<<SQL return DB::selectOne(<<<SQL
SELECT * FROM pg_policies SELECT * FROM pg_policies
WHERE tablename = '{$table}' WHERE tablename = '{$table}'
AND policyname LIKE '{$table}_rls_policy%'; AND policyname LIKE '{$table}_{$type}_rls_policy%';
SQL); SQL);
} }

19
src/RLS/PolicyManagers/TableRLSManager.php
View file

@ -4,6 +4,7 @@ declare(strict_types=1);
namespace Stancl\Tenancy\RLS\PolicyManagers; namespace Stancl\Tenancy\RLS\PolicyManagers;
use Illuminate\Contracts\Config\Repository;
use Illuminate\Database\DatabaseManager; use Illuminate\Database\DatabaseManager;
use Stancl\Tenancy\Database\Exceptions\RecursiveRelationshipException; use Stancl\Tenancy\Database\Exceptions\RecursiveRelationshipException;
@ -13,15 +14,20 @@ class TableRLSManager implements RLSPolicyManager
public static bool $scopeByDefault = true; public static bool $scopeByDefault = true;
public function __construct( public function __construct(
protected DatabaseManager $database protected DatabaseManager $database,
protected Repository $config
) {} ) {}
public function generateQueries(array $trees = []): array public function generateQueries(array $trees = []): array
{ {
$queries = []; $queries = [];
$centralUserName = $this->database->getConfig('username');
foreach ($trees ?: $this->shortestPaths() as $table => $path) { foreach ($trees ?: $this->shortestPaths() as $table => $path) {
$queries[$table] = $this->generateQuery($table, $path); $queries[$table] =[
'tenant' => $this->generateQuery($table, $path),
'central' => "CREATE POLICY {$table}_central_rls_policy ON {$table} AS PERMISSIVE TO {$centralUserName} USING (true);"
];
} }
return $queries; return $queries;
@ -209,8 +215,9 @@ class TableRLSManager implements RLSPolicyManager
/** Generates a query that creates a row-level security policy for the passed table. */ /** Generates a query that creates a row-level security policy for the passed table. */
protected function generateQuery(string $table, array $path): string protected function generateQuery(string $table, array $path): string
{ {
$role = $this->config->get('tenancy.rls.user.username');
// Generate the SQL conditions recursively // Generate the SQL conditions recursively
$query = "CREATE POLICY {$table}_rls_policy ON {$table} USING (\n"; $query = "CREATE POLICY {$table}_tenant_rls_policy ON {$table} TO {$role} USING (\n";
$sessionTenantKey = config('tenancy.rls.session_variable_name'); $sessionTenantKey = config('tenancy.rls.session_variable_name');
foreach ($path as $index => $relation) { foreach ($path as $index => $relation) {
@ -242,11 +249,9 @@ class TableRLSManager implements RLSPolicyManager
// -1 because the last item is the tenant table reference which is not a nested where // -1 because the last item is the tenant table reference which is not a nested where
for ($i = count($path) - 1; $i > 0; $i--) { for ($i = count($path) - 1; $i > 0; $i--) {
$query .= str_repeat(' ', $i * 4) . ")\n"; $query .= str_repeat(' ', $i * 4) . ")\n";
} } // closing for CREATE POLICY
$query .= ');'; // closing for CREATE POLICY return $query . ');';
return $query;
} }
protected function getComment(string $tableName, string $columnName): string|null protected function getComment(string $tableName, string $columnName): string|null