view owner

flanksource · Oct 28, 2024 · 4ea3cc9 · 4ea3cc9
1 parent 2ca5f1f
commit 4ea3cc9
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 8 deletions.
diff --git a/views/002_seed.sql b/views/002_seed.sql
@@ -24,3 +24,9 @@ BEGIN
             (5, 'Low', 'info', ARRAY['P4']);
    END IF;
 END $$;
+
+-- CREATE a ROLE that will own all views where we need to enforce RLS.
+-- TODO: Don't create if exists
+CREATE ROLE IF NOT EXISTS api_views_owner NOSUPERUSER NOBYPASSRLS;
+
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO api_views_owner;
diff --git a/views/034_rls_enable.sql b/views/034_rls_enable.sql
@@ -16,3 +16,11 @@ CREATE POLICY components_auth ON components
   FOR ALL TO postgrest_api, postgrest_anon
     USING (current_setting('request.jwt.claims', TRUE)::json ->> 'agent_id' = agent_id::text);
 
+-- View owners
+-- TODO: Add more
+ALTER VIEW config_detail OWNER TO api_views_owner;
+ALTER VIEW config_labels OWNER TO api_views_owner;
+ALTER VIEW config_names OWNER TO api_views_owner;
+ALTER VIEW config_statuses OWNER TO api_views_owner;
+ALTER VIEW config_summary OWNER TO api_views_owner;
+
diff --git a/views/035_rls-disable.sql b/views/035_rls-disable.sql
diff --git a/views/035_rls_disable.sql b/views/035_rls_disable.sql
@@ -0,0 +1,16 @@
+ALTER TABLE config_items DISABLE ROW LEVEL SECURITY;
+
+ALTER TABLE components DISABLE ROW LEVEL SECURITY;
+
+-- POLICIES
+DROP POLICY IF EXISTS config_items_auth ON config_items;
+
+DROP POLICY IF EXISTS components_auth ON components;
+
+-- View owners
+ALTER VIEW config_detail OWNER TO current_user;
+ALTER VIEW config_summary OWNER TO current_user;
+ALTER VIEW config_labels OWNER TO current_user;
+ALTER VIEW config_names OWNER TO current_user;
+ALTER VIEW config_statuses OWNER TO current_user;
+