diff --git a/functions/postgrest.sql b/functions/postgrest.sql index f4606a26..6f71dcb3 100644 --- a/functions/postgrest.sql +++ b/functions/postgrest.sql @@ -17,9 +17,11 @@ END $$; DO $$ BEGIN - -- CREATE a ROLE that will own all views where we need to enforce RLS. - CREATE ROLE api_views_owner NOSUPERUSER NOBYPASSRLS; - GRANT SELECT ON ALL TABLES IN SCHEMA public TO api_views_owner; + IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'api_views_owner') THEN + -- CREATE a ROLE that will own all views where we need to enforce RLS. + CREATE ROLE api_views_owner NOSUPERUSER NOBYPASSRLS; + GRANT SELECT ON ALL TABLES IN SCHEMA public TO api_views_owner; + END IF; END $$; diff --git a/models/permission.go b/models/permission.go index 7c5fb48c..251a7ba3 100644 --- a/models/permission.go +++ b/models/permission.go @@ -1,6 +1,7 @@ package models import ( + "encoding/json" "fmt" "strings" "time" @@ -79,13 +80,10 @@ func (t *Permission) Condition() string { rule = append(rule, fmt.Sprintf("r.obj.canary != undefined && r.obj.canary.agent_id in (%s)", strings.Join(agents, ","))) } - // if len(t.Tags) > 0 { - // var tagsClause []string - // for _, agentID := range t.Tags { - // } - // - // rule = append(rule, strings.Join(tagsClause, " || ")) - // } + if len(t.Tags) > 0 { + b, _ := json.Marshal(t.Tags) + rule = append(rule, fmt.Sprintf("r.obj.config != undefined && mapContains(%q, r.obj.config.tags)", string(b))) + } return strings.Join(rule, " && ") } diff --git a/views/034_rls_enable.sql b/views/034_rls_enable.sql index 473440cd..53aeebfb 100644 --- a/views/034_rls_enable.sql +++ b/views/034_rls_enable.sql @@ -5,11 +5,12 @@ ALTER TABLE components ENABLE ROW LEVEL SECURITY; -- Policy config items DROP POLICY IF EXISTS config_items_auth ON config_items; --- TODO:: Don't re-add policy if it exists CREATE POLICY config_items_auth ON config_items FOR ALL TO postgrest_api, postgrest_anon USING (tags::jsonb @> (current_setting('request.jwt.claims', TRUE)::json ->> 'tags')::jsonb - OR current_setting('request.jwt.claims', TRUE)::json ->> 'agent_id' = agent_id::text); + OR current_setting('request.jwt.claims', TRUE)::json -> 'agents' ? 'agent_id'::text); + +DROP POLICY IF EXISTS config_items_view_owner_allow ON config_items; CREATE POLICY config_items_view_owner_allow ON config_items FOR ALL TO api_views_owner @@ -20,9 +21,10 @@ DROP POLICY IF EXISTS components_auth ON components; CREATE POLICY components_auth ON components FOR ALL TO postgrest_api, postgrest_anon - USING (current_setting('request.jwt.claims', TRUE)::json ->> 'agent_id' = agent_id::text); + USING (current_setting('request.jwt.claims', TRUE)::json -> 'agents' ? agent_id::text); + +DROP POLICY IF EXISTS components_view_owner_allow ON components; --- View owners CREATE POLICY components_view_owner_allow ON components FOR ALL TO api_views_owner USING (TRUE);