archtechx/tenancy
1
0
Fork 0
mirror of https://github.com/archtechx/tenancy.git synced 2026-02-05 15:54:03 +00:00
Code Activity

Use "RLS" instead of "Rls"

Browse source
This commit is contained in:
lukinovec 2023-08-07 10:44:48 +02:00
parent 4ed5aa0add
commit ad0a2e5f6f
4 changed files with 29 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/Commands/CreateRLSPoliciesForTenantTables.php
View file

@ -24,7 +24,7 @@ class CreateRLSPoliciesForTenantTables extends Command
{ {
DB::transaction(function () { DB::transaction(function () {
foreach (tenancy()->getTenantModels() as $model) { foreach (tenancy()->getTenantModels() as $model) {
$this->applyRlsOnModel($model); $this->applyRLSOnModel($model);
} }
}); });
@ -34,7 +34,7 @@ class CreateRLSPoliciesForTenantTables extends Command
/** /**
* Make model use RLS if it belongs to a tenant directly, or through a parent primary model. * Make model use RLS if it belongs to a tenant directly, or through a parent primary model.
*/ */
protected function applyRlsOnModel(Model $model): void protected function applyRLSOnModel(Model $model): void
{ {
$table = $model->getTable(); $table = $model->getTable();
$tenantKeyName = tenancy()->tenantKeyColumn(); $tenantKeyName = tenancy()->tenantKeyColumn();
@ -44,7 +44,7 @@ class CreateRLSPoliciesForTenantTables extends Command
if (tenancy()->modelBelongsToTenant($model)) { if (tenancy()->modelBelongsToTenant($model)) {
DB::statement("CREATE POLICY {$table}_rls_policy ON {$table} USING ({$tenantKeyName}::TEXT = current_user);"); DB::statement("CREATE POLICY {$table}_rls_policy ON {$table} USING ({$tenantKeyName}::TEXT = current_user);");
$this->enableRls($table); $this->enableRLS($table);
$this->components->info("Created RLS policy for table '$table'"); $this->components->info("Created RLS policy for table '$table'");
} }
@ -69,13 +69,13 @@ class CreateRLSPoliciesForTenantTables extends Command
DB::statement($formattedStatement); DB::statement($formattedStatement);
$this->enableRls($table); $this->enableRLS($table);
$this->components->info("Created RLS policy for table '$table'"); $this->components->info("Created RLS policy for table '$table'");
} }
} }
protected function enableRls(string $table): void protected function enableRLS(string $table): void
{ {
$formattedStatement = DB::select("SELECT format('ALTER TABLE %I', '$table')")[0]->format; $formattedStatement = DB::select("SELECT format('ALTER TABLE %I', '$table')")[0]->format;

4
src/Database/Concerns/BelongsToTenant.php
View file

@ -21,9 +21,9 @@ trait BelongsToTenant
public static function bootBelongsToTenant(): void public static function bootBelongsToTenant(): void
{ {
// If 'tenancy.rls.enabled' is true or this model implements RlsModel // If 'tenancy.rls.enabled' is true or this model implements RLSModel
// Scope queries using Postgres RLS instead of TenantScope // Scope queries using Postgres RLS instead of TenantScope
if (! (config('tenancy.rls.enabled') || (new static) instanceof RlsModel)) { if (! (config('tenancy.rls.enabled') || (new static) instanceof RLSModel)) {
static::addGlobalScope(new TenantScope); static::addGlobalScope(new TenantScope);
} }

2
src/Database/Concerns/RlsModel.php
View file

@ -12,6 +12,6 @@ namespace Stancl\Tenancy\Database\Concerns;
* *
* @see \Stancl\Tenancy\Database\Concerns\BelongsToTenant * @see \Stancl\Tenancy\Database\Concerns\BelongsToTenant
*/ */
interface RlsModel interface RLSModel
{ {
} }

42
tests/PostgresRLSTest.php
View file

@ -14,7 +14,7 @@ use Stancl\Tenancy\Database\TenantScope;
use Illuminate\Database\Schema\Blueprint; use Illuminate\Database\Schema\Blueprint;
use Stancl\Tenancy\Tests\Etc\ScopedComment; use Stancl\Tenancy\Tests\Etc\ScopedComment;
use Stancl\Tenancy\Events\TenancyInitialized; use Stancl\Tenancy\Events\TenancyInitialized;
use Stancl\Tenancy\Database\Concerns\RlsModel; use Stancl\Tenancy\Database\Concerns\RLSModel;
use Stancl\Tenancy\Listeners\BootstrapTenancy; use Stancl\Tenancy\Listeners\BootstrapTenancy;
use Stancl\Tenancy\Jobs\DeleteTenantsPostgresUser; use Stancl\Tenancy\Jobs\DeleteTenantsPostgresUser;
use Illuminate\Database\Eloquent\Concerns\HasUuids; use Illuminate\Database\Eloquent\Concerns\HasUuids;
@ -113,25 +113,25 @@ test('postgres user can get deleted using the job', function() {
test('correct rls policies get created', function () { test('correct rls policies get created', function () {
$tenantModels = tenancy()->getTenantModels(); $tenantModels = tenancy()->getTenantModels();
$modelTables = collect($tenantModels)->map(fn (Model $model) => $model->getTable()); $modelTables = collect($tenantModels)->map(fn (Model $model) => $model->getTable());
$getRlsPolicies = fn () => DB::select('select * from pg_policies'); $getRLSPolicies = fn () => DB::select('select * from pg_policies');
$getRlsTables = fn () => $modelTables->map(fn ($table) => DB::select('select relname, relrowsecurity, relforcerowsecurity from pg_class WHERE oid = ' . "'$table'::regclass"))->collapse(); $getRLSTables = fn () => $modelTables->map(fn ($table) => DB::select('select relname, relrowsecurity, relforcerowsecurity from pg_class WHERE oid = ' . "'$table'::regclass"))->collapse();
// Drop all existing policies to check if the command creates policies for multiple tables // Drop all existing policies to check if the command creates policies for multiple tables
foreach ($getRlsPolicies() as $policy) { foreach ($getRLSPolicies() as $policy) {
DB::statement("DROP POLICY IF EXISTS {$policy->policyname} ON {$policy->tablename}"); DB::statement("DROP POLICY IF EXISTS {$policy->policyname} ON {$policy->tablename}");
} }
expect($getRlsPolicies())->toHaveCount(0); expect($getRLSPolicies())->toHaveCount(0);
pest()->artisan('tenants:create-rls-policies'); pest()->artisan('tenants:create-rls-policies');
// Check if all tables with policies are RLS protected (even the ones not directly related to the tenant) // Check if all tables with policies are RLS protected (even the ones not directly related to the tenant)
// Models related to tenant through some model must use the BelongsToPrimaryModel trait // Models related to tenant through some model must use the BelongsToPrimaryModel trait
// For the command to create the policy correctly for the model's table // For the command to create the policy correctly for the model's table
expect($getRlsPolicies())->toHaveCount(count($tenantModels)); // 2 expect($getRLSPolicies())->toHaveCount(count($tenantModels)); // 2
expect($getRlsTables())->toHaveCount(count($tenantModels)); // 2 expect($getRLSTables())->toHaveCount(count($tenantModels)); // 2
foreach ($getRlsTables() as $table) { foreach ($getRLSTables() as $table) {
expect($modelTables)->toContain($table->relname); expect($modelTables)->toContain($table->relname);
expect($table->relforcerowsecurity)->toBeTrue(); expect($table->relforcerowsecurity)->toBeTrue();
} }
@ -143,12 +143,12 @@ test('global scope is not applied when using rls', function () {
expect(Post::hasGlobalScope(TenantScope::class))->toBeTrue(); expect(Post::hasGlobalScope(TenantScope::class))->toBeTrue();
// Clear booted models to forget the global scope and see if it gets applied during the boot // Clear booted models to forget the global scope and see if it gets applied during the boot
RlsPost::clearBootedModels(); RLSPost::clearBootedModels();
RlsPost::bootBelongsToTenant(); RLSPost::bootBelongsToTenant();
// RlsPost implements the RlsModel interface // RLSPost implements the RLSModel interface
// The model shouldn't have the global scope // The model shouldn't have the global scope
expect(RlsPost::hasGlobalScope(TenantScope::class))->toBeFalse(); expect(RLSPost::hasGlobalScope(TenantScope::class))->toBeFalse();
config(['tenancy.rls.enabled' => true]); config(['tenancy.rls.enabled' => true]);
@ -172,17 +172,17 @@ test('queries are correctly scoped using RLS', function() {
// Create posts and comments for both tenants // Create posts and comments for both tenants
tenancy()->initialize($tenant); tenancy()->initialize($tenant);
$post1 = RlsPost::create(['text' => 'first post']); $post1 = RLSPost::create(['text' => 'first post']);
$post1Comment = $post1->scoped_comments()->create(['text' => 'first comment']); $post1Comment = $post1->scoped_comments()->create(['text' => 'first comment']);
tenancy()->initialize($secondTenant); tenancy()->initialize($secondTenant);
$post2 = RlsPost::create(['text' => 'second post']); $post2 = RLSPost::create(['text' => 'second post']);
$post2Comment = $post2->scoped_comments()->create(['text' => 'second comment']); $post2Comment = $post2->scoped_comments()->create(['text' => 'second comment']);
tenancy()->initialize($tenant); tenancy()->initialize($tenant);
expect(RlsPost::all()->pluck('text')) expect(RLSPost::all()->pluck('text'))
->toContain($post1->text) ->toContain($post1->text)
->not()->toContain($post2->text); ->not()->toContain($post2->text);
@ -192,7 +192,7 @@ test('queries are correctly scoped using RLS', function() {
tenancy()->end(); tenancy()->end();
expect(RlsPost::all()->pluck('text')) expect(RLSPost::all()->pluck('text'))
->toContain($post1->text) ->toContain($post1->text)
->toContain($post2->text); ->toContain($post2->text);
@ -202,19 +202,19 @@ test('queries are correctly scoped using RLS', function() {
tenancy()->initialize($secondTenant); tenancy()->initialize($secondTenant);
expect(RlsPost::all()->pluck('text'))->toContain($post2->text)->not()->toContain($post1->text); expect(RLSPost::all()->pluck('text'))->toContain($post2->text)->not()->toContain($post1->text);
expect(ScopedComment::all()->pluck('text'))->toContain($post2Comment->text)->not()->toContain($post1Comment->text); expect(ScopedComment::all()->pluck('text'))->toContain($post2Comment->text)->not()->toContain($post1Comment->text);
tenancy()->initialize($tenant); tenancy()->initialize($tenant);
expect(RlsPost::all()->pluck('text')) expect(RLSPost::all()->pluck('text'))
->toContain($post1->text) ->toContain($post1->text)
->not()->toContain($post2->text); ->not()->toContain($post2->text);
expect(ScopedComment::all()->pluck('text')) expect(ScopedComment::all()->pluck('text'))
->toContain($post1Comment->text) ->toContain($post1Comment->text)
->not()->toContain($post2Comment->text); ->not()->toContain($post2Comment->text);
}); })->group('rls');
test('users created by CreatePostgresUserForTenant are only granted the permissions specified in the static property', function() { test('users created by CreatePostgresUserForTenant are only granted the permissions specified in the static property', function() {
config(['tenancy.rls.user_permissions' => ['INSERT', 'SELECT', 'UPDATE']]); config(['tenancy.rls.user_permissions' => ['INSERT', 'SELECT', 'UPDATE']]);
@ -282,9 +282,9 @@ trait UsesUuidAsPrimaryKey
} }
} }
/** /**
* Post model that implements the RlsModel interface. * Post model that implements the RLSModel interface.
*/ */
class RlsPost extends Post implements RlsModel class RLSPost extends Post implements RLSModel
{ {
public function getForeignKey() public function getForeignKey()
{ {