view owner

flanksource · Nov 8, 2024 · a0f50b6 · a0f50b6
1 parent 08fde2d
commit a0f50b6
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 9 deletions.
diff --git a/functions/postgrest.sql b/functions/postgrest.sql
@@ -13,3 +13,16 @@ BEGIN
         ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO postgrest_anon;
     END IF;
 END $$;
+
+
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'postgrest_api') THEN
+      -- CREATE a ROLE that will own all views where we need to enforce RLS.
+      CREATE ROLE api_views_owner NOSUPERUSER NOBYPASSRLS;
+
+      GRANT SELECT ON ALL TABLES IN SCHEMA public TO api_views_owner;
+    END IF ;
+END
+$$;
+
diff --git a/views/034_rls_enable.sql b/views/034_rls_enable.sql
@@ -2,17 +2,38 @@ ALTER TABLE config_items ENABLE ROW LEVEL SECURITY;
 
 ALTER TABLE components ENABLE ROW LEVEL SECURITY;
 
--- POLICIES
+-- Policy config items
 DROP POLICY IF EXISTS config_items_auth ON config_items;
 
 CREATE POLICY config_items_auth ON config_items
   FOR ALL TO postgrest_api, postgrest_anon
     USING (tags::jsonb @> (current_setting('request.jwt.claims', TRUE)::json ->> 'tags')::jsonb
       OR current_setting('request.jwt.claims', TRUE)::json ->> 'agent_id' = agent_id::text);
 
+CREATE POLICY config_items_view_owner_allow ON config_items
+  FOR ALL TO api_views_owner
+    USING (TRUE);
+
+-- Policy components
 DROP POLICY IF EXISTS components_auth ON components;
 
 CREATE POLICY components_auth ON components
   FOR ALL TO postgrest_api, postgrest_anon
     USING (current_setting('request.jwt.claims', TRUE)::json ->> 'agent_id' = agent_id::text);
 
+-- View owners
+CREATE POLICY components_view_owner_allow ON components
+  FOR ALL TO api_views_owner
+    USING (TRUE);
+
+-- TODO: Add more
+ALTER VIEW config_detail OWNER TO api_views_owner;
+
+ALTER VIEW config_labels OWNER TO api_views_owner;
+
+ALTER VIEW config_names OWNER TO api_views_owner;
+
+ALTER VIEW config_statuses OWNER TO api_views_owner;
+
+ALTER VIEW config_summary OWNER TO api_views_owner;
+
diff --git a/views/035_rls-disable.sql b/views/035_rls-disable.sql
diff --git a/views/035_rls_disable.sql b/views/035_rls_disable.sql
@@ -0,0 +1,16 @@
+ALTER TABLE config_items DISABLE ROW LEVEL SECURITY;
+
+ALTER TABLE components DISABLE ROW LEVEL SECURITY;
+
+-- POLICIES
+DROP POLICY IF EXISTS config_items_auth ON config_items;
+
+DROP POLICY IF EXISTS components_auth ON components;
+
+-- View owners
+ALTER VIEW config_detail OWNER TO current_user;
+ALTER VIEW config_summary OWNER TO current_user;
+ALTER VIEW config_labels OWNER TO current_user;
+ALTER VIEW config_names OWNER TO current_user;
+ALTER VIEW config_statuses OWNER TO current_user;
+