feat: support multiple agent ids IN RLS

flanksource · Nov 8, 2024 · ea235b5 · ea235b5
1 parent 55e47e9
commit ea235b5
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 14 deletions.
diff --git a/functions/postgrest.sql b/functions/postgrest.sql
@@ -17,9 +17,11 @@ END $$;
 
 DO $$
 BEGIN
-  -- CREATE a ROLE that will own all views where we need to enforce RLS.
-  CREATE ROLE api_views_owner NOSUPERUSER NOBYPASSRLS;
-  GRANT SELECT ON ALL TABLES IN SCHEMA public TO api_views_owner;
+  IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'api_views_owner') THEN
+    -- CREATE a ROLE that will own all views where we need to enforce RLS.
+    CREATE ROLE api_views_owner NOSUPERUSER NOBYPASSRLS;
+    GRANT SELECT ON ALL TABLES IN SCHEMA public TO api_views_owner;
+  END IF;
 END
 $$;
 
diff --git a/models/permission.go b/models/permission.go
@@ -1,6 +1,7 @@
 package models
 
 import (
+	"encoding/json"
 	"fmt"
 	"strings"
 	"time"
@@ -79,13 +80,10 @@ func (t *Permission) Condition() string {
 		rule = append(rule, fmt.Sprintf("r.obj.canary != undefined && r.obj.canary.agent_id in (%s)", strings.Join(agents, ",")))
 	}
 
-	// if len(t.Tags) > 0 {
-	// 	var tagsClause []string
-	// 	for _, agentID := range t.Tags {
-	// 	}
-	//
-	// 	rule = append(rule, strings.Join(tagsClause, " || "))
-	// }
+	if len(t.Tags) > 0 {
+		b, _ := json.Marshal(t.Tags)
+		rule = append(rule, fmt.Sprintf("r.obj.config != undefined && mapContains(%q, r.obj.config.tags)", string(b)))
+	}
 
 	return strings.Join(rule, " && ")
 }

diff --git a/views/034_rls_enable.sql b/views/034_rls_enable.sql
@@ -5,11 +5,12 @@ ALTER TABLE components ENABLE ROW LEVEL SECURITY;
 -- Policy config items
 DROP POLICY IF EXISTS config_items_auth ON config_items;
 
--- TODO:: Don't re-add policy if it exists
 CREATE POLICY config_items_auth ON config_items
   FOR ALL TO postgrest_api, postgrest_anon
     USING (tags::jsonb @> (current_setting('request.jwt.claims', TRUE)::json ->> 'tags')::jsonb
-      OR current_setting('request.jwt.claims', TRUE)::json ->> 'agent_id' = agent_id::text);
+      OR current_setting('request.jwt.claims', TRUE)::json -> 'agents' ? 'agent_id'::text);
+
+DROP POLICY IF EXISTS config_items_view_owner_allow ON config_items;
 
 CREATE POLICY config_items_view_owner_allow ON config_items
   FOR ALL TO api_views_owner
@@ -20,9 +21,10 @@ DROP POLICY IF EXISTS components_auth ON components;
 
 CREATE POLICY components_auth ON components
   FOR ALL TO postgrest_api, postgrest_anon
-    USING (current_setting('request.jwt.claims', TRUE)::json ->> 'agent_id' = agent_id::text);
+    USING (current_setting('request.jwt.claims', TRUE)::json -> 'agents' ? agent_id::text);
+
+DROP POLICY IF EXISTS components_view_owner_allow ON components;
 
--- View owners
 CREATE POLICY components_view_owner_allow ON components
   FOR ALL TO api_views_owner
     USING (TRUE);