mirror of
https://github.com/logto-io/logto.git
synced 2025-01-13 21:30:30 -05:00
49 lines
1.7 KiB
TypeScript
49 lines
1.7 KiB
TypeScript
import { type CommonQueryMethods, sql } from 'slonik';
|
|
|
|
const getId = (value: string) => sql.identifier([value]);
|
|
|
|
const getDatabaseName = async (pool: CommonQueryMethods) => {
|
|
const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
|
|
select current_database();
|
|
`);
|
|
|
|
return currentDatabase.replaceAll('-', '_');
|
|
};
|
|
|
|
/**
|
|
* A function to call after the table is created. It will apply the necessary row-level security
|
|
* policies and triggers to the table.
|
|
*/
|
|
export const applyTableRls = async (pool: CommonQueryMethods, tableName: string) => {
|
|
const database = await getDatabaseName(pool);
|
|
const baseRoleId = getId(`logto_tenant_${database}`);
|
|
const table = getId(tableName);
|
|
|
|
await pool.query(sql`
|
|
create trigger set_tenant_id before insert on ${table}
|
|
for each row execute procedure set_tenant_id();
|
|
|
|
alter table ${table} enable row level security;
|
|
|
|
create policy ${getId(`${tableName}_tenant_id`)} on ${table}
|
|
as restrictive
|
|
using (tenant_id = (select id from tenants where db_user = current_user));
|
|
|
|
create policy ${getId(`${tableName}_modification`)} on ${table}
|
|
using (true);
|
|
|
|
grant select, insert, update, delete on ${table} to ${baseRoleId};
|
|
`);
|
|
};
|
|
|
|
/**
|
|
* A function to call before the table is dropped. It will remove the row-level security policies
|
|
* and triggers from the table.
|
|
*/
|
|
export const dropTableRls = async (pool: CommonQueryMethods, tableName: string) => {
|
|
await pool.query(sql`
|
|
drop policy ${getId(`${tableName}_modification`)} on ${getId(tableName)};
|
|
drop policy ${getId(`${tableName}_tenant_id`)} on ${getId(tableName)};
|
|
drop trigger set_tenant_id on ${getId(tableName)};
|
|
`);
|
|
};
|