0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2024-12-23 20:33:16 -05:00
logto/packages/schemas/alterations/next-1675788753-multi-tenancy-rls.ts

182 lines
4.7 KiB
TypeScript
Raw Normal View History

2023-02-08 05:58:45 -05:00
import { generateStandardId } from '@logto/core-kit';
import type { CommonQueryMethods } from 'slonik';
import { sql } from 'slonik';
import { raw } from 'slonik-sql-tag-raw';
import type { AlterationScript } from '../lib/types/alteration.js';
const tables: string[] = [
'applications_roles',
'applications',
'connectors',
'custom_phrases',
'logs',
'logto_configs',
'oidc_model_instances',
'passcodes',
'resources',
'roles_scopes',
'roles',
'scopes',
'sign_in_experiences',
'users_roles',
'users',
'hooks',
];
const defaultTenantId = 'default';
const getId = (value: string) => sql.identifier([value]);
const getDatabaseName = async (pool: CommonQueryMethods) => {
const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
select current_database();
`);
return currentDatabase.replaceAll('-', '_');
};
const alteration: AlterationScript = {
up: async (pool) => {
const database = await getDatabaseName(pool);
// Alter hooks table for multi-tenancy (missed before)
await pool.query(sql`
alter table hooks
add column tenant_id varchar(21) not null default 'default'
2023-02-09 05:31:14 -05:00
references tenants (id) on update cascade on delete cascade,
alter column id type varchar(21); -- OK to downsize since we use length 21 for ID generation in core
2023-02-08 05:58:45 -05:00
alter table hooks
alter column tenant_id drop default;
2023-02-09 05:31:14 -05:00
2023-02-08 05:58:45 -05:00
create index hooks__id on hooks (tenant_id, id);
2023-02-09 05:31:14 -05:00
drop index hooks__event;
create index hooks__event on hooks (tenant_id, event);
create trigger set_tenant_id before insert on hooks
for each row execute procedure set_tenant_id();
`);
// Add db_user column to tenants table
await pool.query(sql`
alter table tenants
add column db_user varchar(128),
add constraint tenants__db_user
unique (db_user);
2023-02-08 05:58:45 -05:00
`);
// Create role and setup privileges
const baseRole = `logto_tenant_${database}`;
const baseRoleId = getId(baseRole);
2023-02-09 05:31:14 -05:00
// See `_after_all.sql` for comments
2023-02-08 05:58:45 -05:00
await pool.query(sql`
create role ${baseRoleId} noinherit;
grant select, insert, update, delete
on all tables
in schema public
to ${baseRoleId};
revoke all privileges
on table tenants
from ${baseRoleId};
2023-02-09 05:31:14 -05:00
grant select (id, db_user)
on table tenants
to ${baseRoleId};
alter table tenants enable row level security;
create policy tenants_tenant_id on tenants
to ${baseRoleId}
using (db_user = current_user);
2023-02-08 05:58:45 -05:00
revoke all privileges
on table systems
from ${baseRoleId};
`);
// Enable RLS
await Promise.all(
tables.map(async (tableName) =>
pool.query(sql`
alter table ${getId(tableName)} enable row level security;
create policy ${getId(`${tableName}_tenant_id`)} on ${getId(tableName)}
to ${baseRoleId}
using (tenant_id = (select id from tenants where db_user = current_user));
`)
)
);
// Create database role for default tenant
const role = `logto_tenant_${database}_${defaultTenantId}`;
const password = generateStandardId(32);
await pool.query(sql`
update tenants
set db_user=${role}, db_user_password=${password}
where id=${defaultTenantId};
`);
await pool.query(sql`
create role ${sql.identifier([role])} with inherit login
password '${raw(password)}'
in role ${sql.identifier([baseRole])};
`);
},
down: async (pool) => {
const database = await getDatabaseName(pool);
const baseRoleId = getId(`logto_tenant_${database}`);
const role = `logto_tenant_${database}_${defaultTenantId}`;
// Disable RLS
await Promise.all(
tables.map(async (tableName) =>
pool.query(sql`
drop policy ${getId(`${tableName}_tenant_id`)} on ${getId(tableName)};
alter table ${getId(tableName)} disable row level security;
`)
)
);
// Drop role
await pool.query(sql`
drop role ${getId(role)};
revoke all privileges
on all tables
in schema public
from ${baseRoleId};
2023-02-09 05:31:14 -05:00
drop policy tenants_tenant_id on tenants;
alter table tenants disable row level security;
2023-02-08 05:58:45 -05:00
drop role ${baseRoleId};
`);
// Drop db_user column from tenants table
await pool.query(sql`
alter table tenants
drop column db_user;
`);
// Revert hooks table from multi-tenancy
await pool.query(sql`
drop index hooks__id;
alter table hooks
2023-02-09 05:31:14 -05:00
drop column tenant_id,
alter column id type varchar(32);
create index hooks__event on hooks (event);
drop trigger set_tenant_id on hooks;
2023-02-08 05:58:45 -05:00
`);
},
};
export default alteration;