diff --git a/tests/rls_test.go b/tests/rls_test.go index 158c14c6..6b5018ec 100644 --- a/tests/rls_test.go +++ b/tests/rls_test.go @@ -37,7 +37,7 @@ var _ = Describe("RLS test", Ordered, func() { Expect(DefaultContext.DB().Model(&models.ConfigItem{}).Count(&totalConfigs).Error).To(BeNil()) Expect(DefaultContext.DB().Where("tags->>'cluster' = 'aws'").Model(&models.ConfigItem{}).Count(&awsConfigs).Error).To(BeNil()) - tx = DefaultContext.DB().Session(&gorm.Session{NewDB: true}).Begin(&sql.TxOptions{ReadOnly: true}) + tx = DefaultContext.DB().Begin() Expect(tx.Exec("SET LOCAL ROLE 'postgrest_api'").Error).To(BeNil()) Expect(tx.Exec(`SET LOCAL request.jwt.claims = '{"tags": [{"cluster": "aws"}]}'`).Error).To(BeNil()) @@ -47,6 +47,7 @@ var _ = Describe("RLS test", Ordered, func() { }) AfterAll(func() { + Expect(tx.Exec(`SET LOCAL request.jwt.claims = '{"tags": [{"cluster": "aws"}]}'`).Error).To(BeNil()) Expect(tx.Commit().Error).To(BeNil()) }) diff --git a/views/034_rls_enable.sql b/views/034_rls_enable.sql index 6d16b0bf..555e0187 100644 --- a/views/034_rls_enable.sql +++ b/views/034_rls_enable.sql @@ -26,7 +26,8 @@ CREATE POLICY config_items_auth ON config_items FOR ALL TO postgrest_api, postgrest_anon, api_views_owner USING ( CASE WHEN ( - current_setting('request.jwt.claims', TRUE) IS NULL + current_setting('request.jwt.claims', TRUE) IS NULL + OR current_setting('request.jwt.claims', TRUE) = '' -- when the parameter is set it cannot be deleted. it's value is set to empty string. OR current_setting('request.jwt.claims', TRUE)::jsonb ->> 'disable_rls' IS NOT NULL ) THEN TRUE @@ -50,7 +51,8 @@ CREATE POLICY config_changes_auth ON config_changes FOR ALL TO postgrest_api, postgrest_anon, api_views_owner USING ( CASE WHEN ( - current_setting('request.jwt.claims', TRUE) IS NULL + current_setting('request.jwt.claims', TRUE) IS NULL + OR current_setting('request.jwt.claims', TRUE) = '' -- when the parameter is set it cannot be deleted. it's value is set to empty string. OR current_setting('request.jwt.claims', TRUE)::jsonb ->> 'disable_rls' IS NOT NULL ) THEN TRUE @@ -72,7 +74,8 @@ CREATE POLICY config_analysis_auth ON config_analysis FOR ALL TO postgrest_api, postgrest_anon, api_views_owner USING ( CASE WHEN ( - current_setting('request.jwt.claims', TRUE) IS NULL + current_setting('request.jwt.claims', TRUE) IS NULL + OR current_setting('request.jwt.claims', TRUE) = '' -- when the parameter is set it cannot be deleted. it's value is set to empty string. OR current_setting('request.jwt.claims', TRUE)::jsonb ->> 'disable_rls' IS NOT NULL ) THEN TRUE @@ -94,7 +97,8 @@ CREATE POLICY config_relationships_auth ON config_relationships FOR ALL TO postgrest_api, postgrest_anon, api_views_owner USING ( CASE WHEN ( - current_setting('request.jwt.claims', TRUE) IS NULL + current_setting('request.jwt.claims', TRUE) IS NULL + OR current_setting('request.jwt.claims', TRUE) = '' -- when the parameter is set it cannot be deleted. it's value is set to empty string. OR current_setting('request.jwt.claims', TRUE)::jsonb ->> 'disable_rls' IS NOT NULL ) THEN TRUE @@ -116,7 +120,8 @@ CREATE POLICY config_component_relationships_auth ON config_component_relationsh FOR ALL TO postgrest_api, postgrest_anon, api_views_owner USING ( CASE WHEN ( - current_setting('request.jwt.claims', TRUE) IS NULL + current_setting('request.jwt.claims', TRUE) IS NULL + OR current_setting('request.jwt.claims', TRUE) = '' -- when the parameter is set it cannot be deleted. it's value is set to empty string. OR current_setting('request.jwt.claims', TRUE)::jsonb ->> 'disable_rls' IS NOT NULL ) THEN TRUE @@ -138,7 +143,8 @@ CREATE POLICY components_auth ON components FOR ALL TO postgrest_api, postgrest_anon, api_views_owner USING ( CASE WHEN ( - current_setting('request.jwt.claims', TRUE) IS NULL + current_setting('request.jwt.claims', TRUE) IS NULL + OR current_setting('request.jwt.claims', TRUE) = '' -- when the parameter is set it cannot be deleted. it's value is set to empty string. OR current_setting('request.jwt.claims', TRUE)::jsonb ->> 'disable_rls' IS NOT NULL ) THEN TRUE