0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2025-01-20 21:32:31 -05:00
logto/packages/schemas/alterations/next-1678269972-use-restrictive-policies.ts
Gao Sun bdd7374d31
refactor(schemas): use restrictive policies
for enhanced security and scalability. restrictive policies can
be combined with permissive policies for advanced use cases.
2023-03-08 19:16:42 +08:00

85 lines
2.4 KiB
TypeScript

import type { CommonQueryMethods } from 'slonik';
import { sql } from 'slonik';
import type { AlterationScript } from '../lib/types/alteration.js';
const tables = [
'applications_roles',
'applications',
'connectors',
'custom_phrases',
'logs',
'logto_configs',
'oidc_model_instances',
'passcodes',
'resources',
'roles_scopes',
'roles',
'scopes',
'sign_in_experiences',
'users_roles',
'users',
'verification_statuses',
'hooks',
];
const getDatabaseName = async (pool: CommonQueryMethods) => {
const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
select current_database();
`);
return currentDatabase.replaceAll('-', '_');
};
const alteration: AlterationScript = {
up: async (pool) => {
await Promise.all(
tables.map(async (tableRaw) => {
const table = sql.identifier([tableRaw]);
const tenantIdPolicy = sql.identifier([`${tableRaw}_tenant_id`]);
const modificationPolicy = sql.identifier([`${tableRaw}_modification`]);
await pool.query(sql`
drop policy ${tenantIdPolicy} on ${table};
create policy ${tenantIdPolicy} on ${table}
as restrictive
using (tenant_id = (select id from tenants where db_user = current_user));
create policy ${modificationPolicy} on ${table}
using (true);
`);
})
);
await pool.query(sql`
drop policy tenants_tenant_id on tenants;
create policy tenants_tenant_id on tenants
using (db_user = current_user);
`);
},
down: async (pool) => {
const role = sql.identifier([`logto_tenant_${await getDatabaseName(pool)}`]);
await Promise.all(
tables.map(async (tableRaw) => {
const table = sql.identifier([tableRaw]);
const tenantIdPolicy = sql.identifier([`${tableRaw}_tenant_id`]);
const modificationPolicy = sql.identifier([`${tableRaw}_modification`]);
await pool.query(sql`
drop policy ${tenantIdPolicy} on ${table};
drop policy ${modificationPolicy} on ${table};
create policy ${tenantIdPolicy} on ${table}
to ${role}
using (tenant_id = (select id from tenants where db_user = current_user));
`);
})
);
await pool.query(sql`
drop policy tenants_tenant_id on tenants;
create policy tenants_tenant_id on tenants
to ${role}
using (db_user = current_user);
`);
},
};
export default alteration;