mirror of
https://github.com/archtechx/tenancy.git
synced 2026-02-05 18:34:04 +00:00
feat: RLS without central user (role) having bypassrls
This commit is contained in:
Justin van Elst
parent
43056b1c70
commit
55bc56356f
2 changed files with 37 additions and 30 deletions
|
|
@ -105,11 +105,12 @@ class CreateUserWithRLSPolicies extends Command
|
|||
|
||||
$createdPolicies = [];
|
||||
|
||||
foreach ($rlsQueries as $table => $query) {
|
||||
foreach ($rlsQueries as $table => $queries) {
|
||||
foreach ($queries as $type => $query) {
|
||||
[$hash, $policyQuery] = $this->hashPolicy($query);
|
||||
$expectedName = $table . '_rls_policy_' . $hash;
|
||||
$expectedName = $table .'_'.$type.'_rls_policy_' . $hash;
|
||||
|
||||
$tableRLSPolicy = $this->findTableRLSPolicy($table);
|
||||
$tableRLSPolicy = $this->findTableRLSPolicy($table,$type);
|
||||
$olderPolicyExists = $tableRLSPolicy && $tableRLSPolicy->policyname !== $expectedName;
|
||||
|
||||
// Drop the policy if an outdated version exists
|
||||
|
|
@ -119,7 +120,7 @@ class CreateUserWithRLSPolicies extends Command
|
|||
if ($tableRLSPolicy && $dropPolicy) {
|
||||
DB::statement("DROP POLICY {$tableRLSPolicy->policyname} ON {$table}");
|
||||
|
||||
$this->components->info("RLS policy for table '{$table}' dropped.");
|
||||
$this->components->info("RLS policy for table '{$table}' for '{$type}' dropped.");
|
||||
}
|
||||
|
||||
// Create RLS policy if the table doesn't have it or if the --force option is used
|
||||
|
|
@ -132,7 +133,8 @@ class CreateUserWithRLSPolicies extends Command
|
|||
|
||||
$createdPolicies[] = $table . " ($hash)";
|
||||
} else {
|
||||
$this->components->info("Table '{$table}' already has an up to date RLS policy.");
|
||||
$this->components->info("Table '{$table}' for '{$type}' already has an up to date RLS policy.");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -143,9 +145,9 @@ class CreateUserWithRLSPolicies extends Command
|
|||
|
||||
$this->components->bulletList($createdPolicies);
|
||||
|
||||
$this->components->success('RLS policies updated successfully.');
|
||||
$this->components->info('RLS policies updated successfully.');
|
||||
} else {
|
||||
$this->components->success('All RLS policies are up to date.');
|
||||
$this->components->info('All RLS policies are up to date.');
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -155,7 +157,7 @@ class CreateUserWithRLSPolicies extends Command
|
|||
return DB::selectOne(<<<SQL
|
||||
SELECT * FROM pg_policies
|
||||
WHERE tablename = '{$table}'
|
||||
AND policyname LIKE '{$table}_rls_policy%';
|
||||
AND policyname LIKE '{$table}_{$type}_rls_policy%';
|
||||
SQL);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ declare(strict_types=1);
|
|||
|
||||
namespace Stancl\Tenancy\RLS\PolicyManagers;
|
||||
|
||||
use Illuminate\Contracts\Config\Repository;
|
||||
use Illuminate\Database\DatabaseManager;
|
||||
use Stancl\Tenancy\Database\Exceptions\RecursiveRelationshipException;
|
||||
|
||||
|
|
@ -13,15 +14,20 @@ class TableRLSManager implements RLSPolicyManager
|
|||
public static bool $scopeByDefault = true;
|
||||
|
||||
public function __construct(
|
||||
protected DatabaseManager $database
|
||||
protected DatabaseManager $database,
|
||||
protected Repository $config
|
||||
) {}
|
||||
|
||||
public function generateQueries(array $trees = []): array
|
||||
{
|
||||
$queries = [];
|
||||
$centralUserName = $this->database->getConfig('username');
|
||||
|
||||
foreach ($trees ?: $this->shortestPaths() as $table => $path) {
|
||||
$queries[$table] = $this->generateQuery($table, $path);
|
||||
$queries[$table] =[
|
||||
'tenant' => $this->generateQuery($table, $path),
|
||||
'central' => "CREATE POLICY {$table}_central_rls_policy ON {$table} AS PERMISSIVE TO {$centralUserName} USING (true);"
|
||||
];
|
||||
}
|
||||
|
||||
return $queries;
|
||||
|
|
@ -209,8 +215,9 @@ class TableRLSManager implements RLSPolicyManager
|
|||
/** Generates a query that creates a row-level security policy for the passed table. */
|
||||
protected function generateQuery(string $table, array $path): string
|
||||
{
|
||||
$role = $this->config->get('tenancy.rls.user.username');
|
||||
// Generate the SQL conditions recursively
|
||||
$query = "CREATE POLICY {$table}_rls_policy ON {$table} USING (\n";
|
||||
$query = "CREATE POLICY {$table}_tenant_rls_policy ON {$table} TO {$role} USING (\n";
|
||||
$sessionTenantKey = config('tenancy.rls.session_variable_name');
|
||||
|
||||
foreach ($path as $index => $relation) {
|
||||
|
|
@ -242,11 +249,9 @@ class TableRLSManager implements RLSPolicyManager
|
|||
// -1 because the last item is the tenant table reference which is not a nested where
|
||||
for ($i = count($path) - 1; $i > 0; $i--) {
|
||||
$query .= str_repeat(' ', $i * 4) . ")\n";
|
||||
}
|
||||
} // closing for CREATE POLICY
|
||||
|
||||
$query .= ');'; // closing for CREATE POLICY
|
||||
|
||||
return $query;
|
||||
return $query . ');';
|
||||
}
|
||||
|
||||
protected function getComment(string $tableName, string $columnName): string|null
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue