From a0f50b69e3c0d76c41095a23dae15158f6f61e09 Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Mon, 28 Oct 2024 17:14:53 +0545 Subject: [PATCH] view owner --- functions/postgrest.sql | 13 +++++++++++++ views/034_rls_enable.sql | 23 ++++++++++++++++++++++- views/035_rls-disable.sql | 8 -------- views/035_rls_disable.sql | 16 ++++++++++++++++ 4 files changed, 51 insertions(+), 9 deletions(-) delete mode 100644 views/035_rls-disable.sql create mode 100644 views/035_rls_disable.sql diff --git a/functions/postgrest.sql b/functions/postgrest.sql index 2fa25dda..9e6df7c3 100644 --- a/functions/postgrest.sql +++ b/functions/postgrest.sql @@ -13,3 +13,16 @@ BEGIN ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO postgrest_anon; END IF; END $$; + + +DO $$ +BEGIN + IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'postgrest_api') THEN + -- CREATE a ROLE that will own all views where we need to enforce RLS. + CREATE ROLE api_views_owner NOSUPERUSER NOBYPASSRLS; + + GRANT SELECT ON ALL TABLES IN SCHEMA public TO api_views_owner; + END IF ; +END +$$; + diff --git a/views/034_rls_enable.sql b/views/034_rls_enable.sql index 8cfc02ca..e185b85f 100644 --- a/views/034_rls_enable.sql +++ b/views/034_rls_enable.sql @@ -2,7 +2,7 @@ ALTER TABLE config_items ENABLE ROW LEVEL SECURITY; ALTER TABLE components ENABLE ROW LEVEL SECURITY; --- POLICIES +-- Policy config items DROP POLICY IF EXISTS config_items_auth ON config_items; CREATE POLICY config_items_auth ON config_items @@ -10,9 +10,30 @@ CREATE POLICY config_items_auth ON config_items USING (tags::jsonb @> (current_setting('request.jwt.claims', TRUE)::json ->> 'tags')::jsonb OR current_setting('request.jwt.claims', TRUE)::json ->> 'agent_id' = agent_id::text); +CREATE POLICY config_items_view_owner_allow ON config_items + FOR ALL TO api_views_owner + USING (TRUE); + +-- Policy components DROP POLICY IF EXISTS components_auth ON components; CREATE POLICY components_auth ON components FOR ALL TO postgrest_api, postgrest_anon USING (current_setting('request.jwt.claims', TRUE)::json ->> 'agent_id' = agent_id::text); +-- View owners +CREATE POLICY components_view_owner_allow ON components + FOR ALL TO api_views_owner + USING (TRUE); + +-- TODO: Add more +ALTER VIEW config_detail OWNER TO api_views_owner; + +ALTER VIEW config_labels OWNER TO api_views_owner; + +ALTER VIEW config_names OWNER TO api_views_owner; + +ALTER VIEW config_statuses OWNER TO api_views_owner; + +ALTER VIEW config_summary OWNER TO api_views_owner; + diff --git a/views/035_rls-disable.sql b/views/035_rls-disable.sql deleted file mode 100644 index 4dcd1564..00000000 --- a/views/035_rls-disable.sql +++ /dev/null @@ -1,8 +0,0 @@ -ALTER TABLE config_items DISABLE ROW LEVEL SECURITY; - -ALTER TABLE components DISABLE ROW LEVEL SECURITY; - --- POLICIES -DROP POLICY IF EXISTS config_items_auth ON config_items; - -DROP POLICY IF EXISTS components_auth ON components; diff --git a/views/035_rls_disable.sql b/views/035_rls_disable.sql new file mode 100644 index 00000000..1471a1a0 --- /dev/null +++ b/views/035_rls_disable.sql @@ -0,0 +1,16 @@ +ALTER TABLE config_items DISABLE ROW LEVEL SECURITY; + +ALTER TABLE components DISABLE ROW LEVEL SECURITY; + +-- POLICIES +DROP POLICY IF EXISTS config_items_auth ON config_items; + +DROP POLICY IF EXISTS components_auth ON components; + +-- View owners +ALTER VIEW config_detail OWNER TO current_user; +ALTER VIEW config_summary OWNER TO current_user; +ALTER VIEW config_labels OWNER TO current_user; +ALTER VIEW config_names OWNER TO current_user; +ALTER VIEW config_statuses OWNER TO current_user; +