archtechx/tenancy
1
0
Fork 0
mirror of https://github.com/archtechx/tenancy.git synced 2025-12-12 15:14:03 +00:00
Code Activity
tenancy/tests/DatabaseUsersTest.php
Samuel Štancl 7317d2638a
Postgres RLS + permission controlled database managers (#33) 
This PR adds Postgres RLS (trait manager + table manager approach) and permission controlled managers for PostgreSQL.

---------

Co-authored-by: lukinovec <lukinovec@gmail.com>
Co-authored-by: PHP CS Fixer <phpcsfixer@example.com>
2024-04-24 22:32:49 +02:00

224 lines
9 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use Illuminate\Support\Str;
use Illuminate\Support\Facades\DB;
use Stancl\JobPipeline\JobPipeline;
use Stancl\Tenancy\Tests\Etc\Tenant;
use Illuminate\Support\Facades\Event;
use Stancl\Tenancy\Jobs\CreateDatabase;
use Stancl\Tenancy\Events\TenantCreated;
use Stancl\Tenancy\Events\DatabaseCreated;
use Stancl\Tenancy\Database\DatabaseManager;
use Stancl\Tenancy\Events\TenancyInitialized;
use Stancl\Tenancy\Listeners\BootstrapTenancy;
use Stancl\Tenancy\Database\Contracts\ManagesDatabaseUsers;
use Stancl\Tenancy\Bootstrappers\DatabaseTenancyBootstrapper;
use Stancl\Tenancy\Database\TenantDatabaseManagers\MySQLDatabaseManager;
use Stancl\Tenancy\Database\TenantDatabaseManagers\PostgreSQLSchemaManager;
use Stancl\Tenancy\Database\TenantDatabaseManagers\PostgreSQLDatabaseManager;
use Stancl\Tenancy\Database\TenantDatabaseManagers\MicrosoftSQLDatabaseManager;
use Stancl\Tenancy\Database\Exceptions\TenantDatabaseUserAlreadyExistsException;
use Stancl\Tenancy\Database\TenantDatabaseManagers\PermissionControlledMySQLDatabaseManager;
use Stancl\Tenancy\Database\TenantDatabaseManagers\PermissionControlledPostgreSQLSchemaManager;
use Stancl\Tenancy\Database\TenantDatabaseManagers\PermissionControlledPostgreSQLDatabaseManager;
use Stancl\Tenancy\Database\TenantDatabaseManagers\PermissionControlledMicrosoftSQLServerDatabaseManager;
beforeEach(function () {
config([
'tenancy.database.managers.mysql' => PermissionControlledMySQLDatabaseManager::class,
'tenancy.database.managers.sqlsrv' => PermissionControlledMicrosoftSQLServerDatabaseManager::class,
'tenancy.database.managers.pgsql' => PermissionControlledPostgreSQLDatabaseManager::class,
'tenancy.database.suffix' => '',
'tenancy.database.template_tenant_connection' => 'mysql',
]);
// Reset static property
PermissionControlledMySQLDatabaseManager::$grants = [
'ALTER', 'ALTER ROUTINE', 'CREATE', 'CREATE ROUTINE', 'CREATE TEMPORARY TABLES', 'CREATE VIEW',
'DELETE', 'DROP', 'EVENT', 'EXECUTE', 'INDEX', 'INSERT', 'LOCK TABLES', 'REFERENCES', 'SELECT',
'SHOW VIEW', 'TRIGGER', 'UPDATE',
];
PermissionControlledMicrosoftSQLServerDatabaseManager::$grants = [
'SELECT', 'INSERT', 'UPDATE', 'DELETE', 'EXECUTE',
];
Event::listen(TenantCreated::class, JobPipeline::make([CreateDatabase::class])->send(function (TenantCreated $event) {
return $event->tenant;
})->toListener());
});
test('users are created when permission controlled manager is used', function (string $connection, string|null $manager = null) {
if ($manager) {
config(["tenancy.database.managers.{$connection}" => $manager]);
}
config([
'database.default' => $connection,
'tenancy.database.template_tenant_connection' => $connection,
]);
$tenant = new Tenant([
'id' => 'foo' . Str::random(10),
]);
$tenant->database()->makeCredentials();
/** @var ManagesDatabaseUsers $manager */
$manager = $tenant->database()->manager();
$username = $tenant->database()->getUsername();
expect($manager->userExists($username))->toBeFalse();
$tenant->save();
expect($manager->userExists($username))->toBeTrue();
if ($connection === 'sqlsrv') {
app(DatabaseManager::class)->connectToTenant($tenant);
expect((bool) DB::select("SELECT dp.name as username FROM sys.database_principals dp WHERE dp.name = '{$username}'"))->toBeTrue();
}
})->with([
['mysql'],
['sqlsrv'],
['pgsql', PermissionControlledPostgreSQLDatabaseManager::class],
['pgsql', PermissionControlledPostgreSQLSchemaManager::class],
]);
test('a tenants database cannot be created when the user already exists', function (string $connection, string|null $manager = null) {
if ($manager) {
config(["tenancy.database.managers.{$connection}" => $manager]);
}
config([
'database.default' => $connection,
'tenancy.database.template_tenant_connection' => $connection,
]);
$username = 'foo' . Str::random(8);
$tenant = Tenant::create([
'tenancy_db_username' => $username,
]);
/** @var ManagesDatabaseUsers $manager */
$manager = $tenant->database()->manager();
expect($manager->userExists($tenant->database()->getUsername()))->toBeTrue();
expect($manager->databaseExists($tenant->database()->getName()))->toBeTrue();
pest()->expectException(TenantDatabaseUserAlreadyExistsException::class);
Event::fake([DatabaseCreated::class]);
$tenant2 = Tenant::create([
'tenancy_db_username' => $username,
]);
/** @var ManagesDatabaseUsers $manager */
$manager2 = $tenant2->database()->manager();
// database was not created because of DB transaction
expect($manager2->databaseExists($tenant2->database()->getName()))->toBeFalse();
Event::assertNotDispatched(DatabaseCreated::class);
})->with([
['mysql'],
['sqlsrv'],
['pgsql', PermissionControlledPostgreSQLDatabaseManager::class],
['pgsql', PermissionControlledPostgreSQLSchemaManager::class],
]);
test('correct grants are given to users using mysql', function () {
PermissionControlledMySQLDatabaseManager::$grants = [
'ALTER', 'ALTER ROUTINE', 'CREATE',
];
$tenant = Tenant::create([
'tenancy_db_username' => $user = 'user' . Str::random(8),
]);
$query = DB::connection('mysql')->select("SHOW GRANTS FOR `{$tenant->database()->getUsername()}`@`%`")[1];
expect($query->{"Grants for {$user}@%"})->toStartWith('GRANT CREATE, ALTER, ALTER ROUTINE ON'); // @mysql because that's the hostname within the docker network
});
test('permissions for new tables are granted to users using pgsql', function (string $manager) {
config([
'database.default' => 'pgsql',
'tenancy.database.template_tenant_connection' => 'pgsql',
'tenancy.database.managers.pgsql' => $manager,
]);
Tenant::create(['tenancy_db_username' => $username = 'user' . Str::random(8)]);
$grantCount = fn () => count(DB::select("SELECT * FROM information_schema.table_privileges WHERE grantee = '{$username}'"));
expect($grantCount())->toBe(0);
Event::listen(TenancyInitialized::class, function (TenancyInitialized $event) {
app(DatabaseManager::class)->connectToTenant($event->tenancy->tenant);
});
// Run tenants:migrate to create tables to confirm
// that the user will be granted privileges for newly created tables
pest()->artisan('tenants:migrate');
expect($grantCount())->not()->toBe(0);
})->with([
PermissionControlledPostgreSQLDatabaseManager::class,
PermissionControlledPostgreSQLSchemaManager::class
]);
test('correct grants are given to users using sqlsrv', function () {
config([
'database.default' => 'sqlsrv',
'tenancy.database.template_tenant_connection' => 'sqlsrv',
]);
PermissionControlledMicrosoftSQLServerDatabaseManager::$grants = ['SELECT'];
$tenant = Tenant::create(['tenancy_db_username' => $user = 'tenant_user' . Str::random(8)]);
// Connect to the tenant database to access tenant database user's permissions
app(DatabaseManager::class)->connectToTenant($tenant);
$userGrants = DB::select("SELECT dp.permission_name as name FROM sys.database_permissions dp WHERE USER_NAME(dp.grantee_principal_id) = '$user'");
expect(array_map(fn ($grant) => $grant->name, $userGrants))->toEqual(array_merge(
['CONNECT'], // Granted automatically
PermissionControlledMicrosoftSQLServerDatabaseManager::$grants
));
});
test('having existing databases without users and switching to permission controlled manager doesnt break existing dbs', function (string $driver, string $manager, string $permissionControlledManager, string $defaultUser) {
config([
'database.default' => $driver,
'tenancy.database.managers.' . $driver => $manager,
'tenancy.database.template_tenant_connection' => $driver,
'tenancy.bootstrappers' => [
DatabaseTenancyBootstrapper::class,
],
]);
Event::listen(TenancyInitialized::class, BootstrapTenancy::class);
$tenant = Tenant::create([
'id' => 'foo' . Str::random(10),
]);
expect($tenant->database()->manager() instanceof $manager)->toBeTrue();
tenancy()->initialize($tenant); // check if everything works
tenancy()->end();
config(['tenancy.database.managers.' . $driver => $permissionControlledManager]);
tenancy()->initialize($tenant); // check if everything works
expect($tenant->database()->manager() instanceof $permissionControlledManager)->toBeTrue();
expect(config('database.connections.tenant.username'))->toBe($defaultUser);
})->with([
['mysql', MySQLDatabaseManager::class, PermissionControlledMySQLDatabaseManager::class, 'root'],
['pgsql', PostgreSQLDatabaseManager::class, PermissionControlledPostgreSQLDatabaseManager::class, 'root'],
['pgsql', PostgreSQLSchemaManager::class, PermissionControlledPostgreSQLSchemaManager::class, 'root'],
['sqlsrv', MicrosoftSQLDatabaseManager::class, PermissionControlledMicrosoftSQLServerDatabaseManager::class, 'sa'],
]);
View git blame Copy permalink