2023-04-04 16:23:25 +08:00
|
|
|
import { generateStandardId } from '@logto/shared/universal';
|
2024-03-16 19:04:55 +08:00
|
|
|
import type { CommonQueryMethods } from '@silverhand/slonik';
|
|
|
|
import { sql } from '@silverhand/slonik';
|
2023-02-08 18:58:45 +08:00
|
|
|
|
|
|
|
import type { AlterationScript } from '../lib/types/alteration.js';
|
|
|
|
|
|
|
|
const tables: string[] = [
|
|
|
|
'applications_roles',
|
|
|
|
'applications',
|
|
|
|
'connectors',
|
|
|
|
'custom_phrases',
|
|
|
|
'logs',
|
|
|
|
'logto_configs',
|
|
|
|
'oidc_model_instances',
|
|
|
|
'passcodes',
|
|
|
|
'resources',
|
|
|
|
'roles_scopes',
|
|
|
|
'roles',
|
|
|
|
'scopes',
|
|
|
|
'sign_in_experiences',
|
|
|
|
'users_roles',
|
|
|
|
'users',
|
|
|
|
'hooks',
|
|
|
|
];
|
|
|
|
|
|
|
|
const defaultTenantId = 'default';
|
|
|
|
|
|
|
|
const getId = (value: string) => sql.identifier([value]);
|
|
|
|
|
|
|
|
const getDatabaseName = async (pool: CommonQueryMethods) => {
|
|
|
|
const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
|
|
|
|
select current_database();
|
|
|
|
`);
|
|
|
|
|
|
|
|
return currentDatabase.replaceAll('-', '_');
|
|
|
|
};
|
|
|
|
|
|
|
|
const alteration: AlterationScript = {
|
|
|
|
up: async (pool) => {
|
|
|
|
const database = await getDatabaseName(pool);
|
|
|
|
|
|
|
|
// Alter hooks table for multi-tenancy (missed before)
|
|
|
|
await pool.query(sql`
|
|
|
|
alter table hooks
|
|
|
|
add column tenant_id varchar(21) not null default 'default'
|
2023-02-09 18:31:14 +08:00
|
|
|
references tenants (id) on update cascade on delete cascade,
|
|
|
|
alter column id type varchar(21); -- OK to downsize since we use length 21 for ID generation in core
|
|
|
|
|
2023-02-08 18:58:45 +08:00
|
|
|
alter table hooks
|
|
|
|
alter column tenant_id drop default;
|
2023-02-09 18:31:14 +08:00
|
|
|
|
2023-02-08 18:58:45 +08:00
|
|
|
create index hooks__id on hooks (tenant_id, id);
|
2023-02-09 18:31:14 +08:00
|
|
|
|
|
|
|
drop index hooks__event;
|
|
|
|
create index hooks__event on hooks (tenant_id, event);
|
|
|
|
|
|
|
|
create trigger set_tenant_id before insert on hooks
|
|
|
|
for each row execute procedure set_tenant_id();
|
|
|
|
`);
|
|
|
|
|
|
|
|
// Add db_user column to tenants table
|
|
|
|
await pool.query(sql`
|
|
|
|
alter table tenants
|
|
|
|
add column db_user varchar(128),
|
|
|
|
add constraint tenants__db_user
|
|
|
|
unique (db_user);
|
2023-02-08 18:58:45 +08:00
|
|
|
`);
|
|
|
|
|
|
|
|
// Create role and setup privileges
|
|
|
|
const baseRole = `logto_tenant_${database}`;
|
|
|
|
const baseRoleId = getId(baseRole);
|
2023-02-09 18:31:14 +08:00
|
|
|
|
|
|
|
// See `_after_all.sql` for comments
|
2023-02-08 18:58:45 +08:00
|
|
|
await pool.query(sql`
|
|
|
|
create role ${baseRoleId} noinherit;
|
|
|
|
|
|
|
|
grant select, insert, update, delete
|
|
|
|
on all tables
|
|
|
|
in schema public
|
|
|
|
to ${baseRoleId};
|
|
|
|
|
|
|
|
revoke all privileges
|
|
|
|
on table tenants
|
|
|
|
from ${baseRoleId};
|
|
|
|
|
2023-02-09 18:31:14 +08:00
|
|
|
grant select (id, db_user)
|
|
|
|
on table tenants
|
|
|
|
to ${baseRoleId};
|
|
|
|
|
|
|
|
alter table tenants enable row level security;
|
|
|
|
|
|
|
|
create policy tenants_tenant_id on tenants
|
|
|
|
to ${baseRoleId}
|
|
|
|
using (db_user = current_user);
|
|
|
|
|
2023-02-08 18:58:45 +08:00
|
|
|
revoke all privileges
|
|
|
|
on table systems
|
|
|
|
from ${baseRoleId};
|
|
|
|
`);
|
|
|
|
|
|
|
|
// Enable RLS
|
|
|
|
await Promise.all(
|
|
|
|
tables.map(async (tableName) =>
|
|
|
|
pool.query(sql`
|
|
|
|
alter table ${getId(tableName)} enable row level security;
|
|
|
|
|
|
|
|
create policy ${getId(`${tableName}_tenant_id`)} on ${getId(tableName)}
|
|
|
|
to ${baseRoleId}
|
|
|
|
using (tenant_id = (select id from tenants where db_user = current_user));
|
|
|
|
`)
|
|
|
|
)
|
|
|
|
);
|
|
|
|
|
|
|
|
// Create database role for default tenant
|
|
|
|
const role = `logto_tenant_${database}_${defaultTenantId}`;
|
|
|
|
const password = generateStandardId(32);
|
|
|
|
|
|
|
|
await pool.query(sql`
|
|
|
|
update tenants
|
|
|
|
set db_user=${role}, db_user_password=${password}
|
|
|
|
where id=${defaultTenantId};
|
|
|
|
`);
|
|
|
|
await pool.query(sql`
|
|
|
|
create role ${sql.identifier([role])} with inherit login
|
2024-03-18 09:59:38 +08:00
|
|
|
password '${sql.raw(password)}'
|
2023-02-08 18:58:45 +08:00
|
|
|
in role ${sql.identifier([baseRole])};
|
|
|
|
`);
|
|
|
|
},
|
|
|
|
down: async (pool) => {
|
|
|
|
const database = await getDatabaseName(pool);
|
|
|
|
const baseRoleId = getId(`logto_tenant_${database}`);
|
|
|
|
const role = `logto_tenant_${database}_${defaultTenantId}`;
|
|
|
|
|
|
|
|
// Disable RLS
|
|
|
|
await Promise.all(
|
|
|
|
tables.map(async (tableName) =>
|
|
|
|
pool.query(sql`
|
|
|
|
drop policy ${getId(`${tableName}_tenant_id`)} on ${getId(tableName)};
|
|
|
|
alter table ${getId(tableName)} disable row level security;
|
|
|
|
`)
|
|
|
|
)
|
|
|
|
);
|
|
|
|
|
|
|
|
// Drop role
|
|
|
|
await pool.query(sql`
|
|
|
|
drop role ${getId(role)};
|
|
|
|
|
|
|
|
revoke all privileges
|
|
|
|
on all tables
|
|
|
|
in schema public
|
|
|
|
from ${baseRoleId};
|
|
|
|
|
2023-02-09 18:31:14 +08:00
|
|
|
drop policy tenants_tenant_id on tenants;
|
|
|
|
alter table tenants disable row level security;
|
|
|
|
|
2023-02-08 18:58:45 +08:00
|
|
|
drop role ${baseRoleId};
|
|
|
|
`);
|
|
|
|
|
|
|
|
// Drop db_user column from tenants table
|
|
|
|
await pool.query(sql`
|
|
|
|
alter table tenants
|
|
|
|
drop column db_user;
|
|
|
|
`);
|
|
|
|
|
|
|
|
// Revert hooks table from multi-tenancy
|
|
|
|
await pool.query(sql`
|
|
|
|
drop index hooks__id;
|
|
|
|
|
|
|
|
alter table hooks
|
2023-02-09 18:31:14 +08:00
|
|
|
drop column tenant_id,
|
|
|
|
alter column id type varchar(32);
|
|
|
|
|
|
|
|
create index hooks__event on hooks (event);
|
|
|
|
|
|
|
|
drop trigger set_tenant_id on hooks;
|
2023-02-08 18:58:45 +08:00
|
|
|
`);
|
|
|
|
},
|
|
|
|
};
|
|
|
|
|
|
|
|
export default alteration;
|