atomic_tenant 1.3.1 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5475a908ae3732b52948ad107eb43a20da9b97f010e262f1f66b124cc453e3ee
-  data.tar.gz: 7999c4ab89bc4f10d325513ed5099af32342b9759c59218ad448950c01a9bb14
+  metadata.gz: d2d3e98335db46cdd62a93e555d5efa5b56741bdeb2bb7a7fc3a1954d0c111ce
+  data.tar.gz: 260711640f716ff03f2b699ee5b54c7004ad657bd835afaef5fd8e2884ebdbf4
 SHA512:
-  metadata.gz: 32414a833dda4bc89564f2d1178cd3395f8a2b234d6e3159098b94e755e0b87d2f49512d0fa7696738bff2ff0e6fbfdcc142589b0b8a9151887a76b17f453ea4
-  data.tar.gz: 4f8e5c8ac4c8014bd698d03dc217d2c4a5e345f568c3430ce7fec141001296fab35f37adc95da992d4a8530443c63b0c2fca5afdfb7bb9046ce14d411a5b78cf
+  metadata.gz: f4d38d829399bdd173ed68567f73bed3f45cfc4559e52a2db710369c28d6374a28bd8d7be3c0de87867dc8da76ecde743cf142615f1836c8969bd442e1eec3b8
+  data.tar.gz: 120d52e713b17c86be15ef2583c3cd08194adb21967cc677f53aef6af0d36217fdd311d1d605ae3a193f780c2afaaac61f0c0541859e709bce07893b36b3adb1

data/README.md

@@ -34,5 +34,93 @@ With the following content:
   AtomicTenant.admin_subdomain = "admin".freeze
 ```
 
+### Row Level Security Tenanting
+This gem also includes modules and helpers for a row level security tenanting solution.
+
+Configure the settings in the initializer:
+
+```ruby
+  AtomicTenant.tenants_table = :tenants
+  AtomicTenant.db_tenant_restricted_user = Rails.application.credentials.db_tenant_restricted_user
+```
+
+This example configures AtomicTenant to use the Tenant model as the tenants table, and will expect tenanted models to have a `tenant_id` field on them. db_tenant_restricted_user is the database user that will have row level security enforced.
+
+Add row level security to each tenanted table in a migration:
+
+```ruby
+  dir.up do
+    # Enable row level security and add row level security policies for the users table
+    AtomicTenant::RowLevelSecurity.add_row_level_security(:users)
+  end
+  dir.down do
+    # Remove row level security and remove row level security policies for the users table
+    AtomicTenant::RowLevelSecurity.remove_row_level_security(:users)
+  end
+```
+
+#### Tenantable
+Include the `AtomicTenant::Tenantable` module in your base model to default all models private:
+```ruby
+class ApplicationRecord < ActiveRecord::Base
+  include AtomicTenant::Tenantable
+end
+```
+
+If you default all models to private, non tenanted models can be marked public with `set_public_tenanted`:
+```ruby
+class Tenant < ApplicationRecord
+  set_public_tenanted
+end
+```
+
+Alternatively you can include `AtomicTenant::Tenantable` in just the models you want to be tenanted.
+
+There is a helper to verify that row level security is set on a model. If you default all models private, it's a good idea to have a test that verifies that all private models do actually have row level security enabled on them:
+```ruby
+require "rails_helper"
+
+RSpec.describe Tenant do
+  describe "private models have row level security enabled" do
+    it "ensures row level security is enabled for private tenanted models" do
+      Rails.application.eager_load!
+      private_models = AtomicTenant::Tenantable.private_tenanted_models.map(&:table_name)
+      expect(private_models).not_to be_empty
+
+      AtomicTenant::Tenantable.private_tenanted_models.each do |model|
+        expect do
+          AtomicTenant::Tenantable.verify_tenanted(model)
+        end.not_to raise_error
+      end
+    end
+  end
+end
+```
+
+#### TenantSwitching
+To use `TenantSwitching`, include the module in your tenant model:
+```ruby
+class Tenant < ApplicationRecord
+  set_public_tenanted
+  include AtomicTenant::TenantSwitching
+end
+```
+
+The `Tenant` model must have a key field.
+
+Switching tenants can then be done via Apartment-esque tenant switching methods:
+  1. ```ruby
+      Tenant.switch!(Tenant.find_by(key: "admin"))
+      ```
+  2. ```ruby
+      Tenant.switch(Tenant.find_by(key: "admin")) do
+        Tenant.current_key
+      end
+      # => "admin"
+
+      Tenant.current_key
+      # => "public"
+      ```
+
 ## License
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/app/models/atomic_tenant/lti_deployment.rb

@@ -1,4 +1,5 @@
 module AtomicTenant
   class LtiDeployment < ApplicationRecord
+    belongs_to :application_instance
   end
 end

data/app/models/atomic_tenant/pinned_client_id.rb

@@ -1,4 +1,5 @@
 module AtomicTenant
   class PinnedClientId < ApplicationRecord
+    belongs_to :application_instance
   end
 end

data/app/models/atomic_tenant/pinned_platform_guid.rb

@@ -1,4 +1,6 @@
 module AtomicTenant
   class PinnedPlatformGuid < ApplicationRecord
+    belongs_to :application
+    belongs_to :application_instance
   end
 end

data/lib/atomic_tenant/active_job.rb

@@ -0,0 +1,24 @@
+module AtomicTenant
+  module ActiveJob
+    extend ActiveSupport::Concern
+
+    class_methods do
+      def execute(job_data)
+        tenant_key = job_data.delete("tenant")
+        tenant = AtomicTenant.tenant_model.find_by(key: tenant_key)
+        AtomicTenant.tenant_model.switch(tenant) do
+          super
+        end
+      end
+    end
+
+    def initialize(*_args, **_kargs)
+      @tenant = AtomicTenant.tenant_model.current_key
+      super
+    end
+
+    def serialize
+      super.merge('tenant' => @tenant)
+    end
+  end
+end

data/lib/atomic_tenant/canvas_content_migration.rb

@@ -2,19 +2,18 @@ module AtomicTenant
   module CanvasContentMigration
     class InvalidTokenError < StandardError; end
 
-    ALGORITHM = "HS256".freeze
+    ALGORITHM = 'HS256'.freeze
     HEADER = 1
 
     # Decode Canvas content migration JWT
     # https://canvas.instructure.com/doc/api/file.tools_xml.html#content-migrations-support
 
-    def self.decode(token,  algorithm = ALGORITHM)
+    def self.decode(token, algorithm = ALGORITHM)
       unverified = JWT.decode(token, nil, false)
-      kid = unverified[HEADER]["kid"]
-      app_instance = ApplicationInstance.find_by!(lti_key: kid)
+      kid = unverified[HEADER]['kid']
+      ApplicationInstance.find_by!(lti_key: kid)
       # We don't validate because we're only setting the tenant for the request. The app
       # must validate the JWT.
-      app_instance
     end
   end
 end

data/lib/atomic_tenant/current_application_instance_middleware.rb

@@ -35,15 +35,16 @@ module AtomicTenant
             env['atomic.validated.application_instance_id'] = deployment.application_instance_id
           else
             deployment = deployment_manager.link_deployment_id(decoded_id_token: decoded_token)
-             env['atomic.validated.application_instance_id'] = deployment.application_instance_id
+            env['atomic.validated.application_instance_id'] = deployment.application_instance_id
           end
-        elsif env.dig("oauth_state", "application_instance_id").present?
-          env['atomic.validated.application_instance_id'] = env["oauth_state"]["application_instance_id"]
+        elsif env.dig('oauth_state', 'application_instance_id').present?
+          env['atomic.validated.application_instance_id'] = env['oauth_state']['application_instance_id']
         elsif is_admin?(request)
           admin_app_key = AtomicTenant.admin_subdomain
           admin_app = Application.find_by(key: admin_app_key)
 
           raise Exceptions::NoAdminApp if admin_app.nil?
+
           app_instances = admin_app.application_instances
 
           raise Exceptions::NonUniqueAdminApp if app_instances.count > 1
@@ -61,13 +62,10 @@ module AtomicTenant
           # the tenant for the request. If the token is invalid or expired the app must
           # return 401 or take other action.
           decoded_token = AtomicTenant::JwtToken.decode(token, validate: false)
-          if decoded_token.present? && decoded_token.first.present?
-            if app_instance_id = decoded_token.first['application_instance_id']
-              env['atomic.validated.application_instance_id'] = app_instance_id
-            end
+          if decoded_token.present? && decoded_token.first.present? && app_instance_id = decoded_token.first['application_instance_id']
+            env['atomic.validated.application_instance_id'] = app_instance_id
           end
         end
-
       rescue StandardError => e
         Rails.logger.error("Error in current app instance middleware: #{e}, #{e.backtrace}")
       end
@@ -76,10 +74,10 @@ module AtomicTenant
     end
 
     def is_admin?(request)
-      return true if request.path == "/readiness"
+      return true if request.path == '/readiness'
 
       host = request.host_with_port
-      subdomain = host&.split(".")&.first
+      subdomain = host&.split('.')&.first
 
       return false if subdomain.nil?
 
@@ -87,16 +85,16 @@ module AtomicTenant
     end
 
     def canvas_migration_hook?(request)
-      return true if request.path.match?(%r{^/api/ims_(import|export)})
+      true if request.path.match?(%r{^/api/ims_(import|export)})
     end
 
     def encoded_token(req)
       return req.params['jwt'] if req.params['jwt']
 
       # TODO: verify HTTP_AUTORIZAITON is the same as "Authorization"
-      if header = req.get_header('HTTP_AUTHORIZATION') # || req.headers[:authorization]
-        header.split(' ').last
-      end
+      return unless header = req.get_header('HTTP_AUTHORIZATION') # || req.headers[:authorization]
+
+      header.split(' ').last
     end
   end
 end

data/lib/atomic_tenant/exceptions.rb

@@ -7,5 +7,8 @@ module AtomicTenant
 
     class NonUniqueAdminApp < StandardError; end
     class NoAdminApp < StandardError; end
+    class InvalidTenantKeyError < StandardError; end
+    class TenantNotFoundError < StandardError; end
+    class TenantNotSet < StandardError; end
   end
-end
+end

data/lib/atomic_tenant/jwt_token.rb

@@ -2,60 +2,18 @@ module AtomicTenant
   module JwtToken
     class InvalidTokenError < StandardError; end
 
-    ALGORITHM = "HS512".freeze
+    ALGORITHM = 'HS512'.freeze
 
-    def self.decode(token,  algorithm = ALGORITHM, validate: true)
+    def self.decode(token, algorithm = ALGORITHM, validate: true)
       decoded_token = JWT.decode(
         token,
         AtomicTenant.jwt_secret,
         validate,
-        { algorithm: algorithm },
+        { algorithm: algorithm }
       )
-      if AtomicTenant.jwt_aud != decoded_token[0]["aud"]
-        return nil
-      end
+      return nil if AtomicTenant.jwt_aud != decoded_token[0]['aud']
 
       decoded_token
     end
-
-    def self.valid?(token, algorithm = ALGORITHM)
-      decode(token, algorithm)
-    end
-
-    def decoded_jwt_token(req)
-      token = valid?(encoded_token(req))
-      raise InvalidTokenError, 'Unable to decode jwt token' if token.blank?
-      raise InvalidTokenError, 'Invalid token payload' if token.empty?
-
-      token[0]
-    end
-
-    def validate_token_with_secret(aud, secret, req = request)
-      token = decoded_jwt_token(req, secret)
-      raise InvalidTokenError if aud != token['aud']
-    rescue JWT::DecodeError, InvalidTokenError => e
-      Rails.logger.error "JWT Error occured: #{e.inspect}"
-      render json: { error: 'Unauthorized: Invalid token.' }, status: :unauthorized
-    end
-
-    def encoded_token!(req)
-      return req.params[:jwt] if req.params[:jwt]
-
-      header = req.headers['Authorization'] || req.headers[:authorization]
-      raise InvalidTokenError, 'No authorization header found' if header.nil?
-
-      token = header.split(' ').last
-      raise InvalidTokenError, 'Invalid authorization header string' if token.nil?
-
-      token
-    end
-
-    def encoded_token(req)
-      return req.params[:jwt] if req.params[:jwt]
-
-      if header = req.headers['Authorization'] || req.headers[:authorization]
-        header.split(' ').last
-      end
-    end
   end
 end

data/lib/atomic_tenant/row_level_security.rb

@@ -0,0 +1,24 @@
+module AtomicTenant::RowLevelSecurity
+  def self.add_row_level_security(table_name)
+    app_username = ActiveRecord::Base.connection.quote_column_name(AtomicTenant.db_tenant_restricted_user)
+    safe_table_name = ActiveRecord::Base.connection.quote_table_name(table_name)
+    policy_name = ActiveRecord::Base.connection.quote_table_name("#{table_name}_tenant_enforcement")
+    rls_setting_name = ActiveRecord::Base.connection.quote("rls.#{AtomicTenant.tenanted_by}")
+    tenanted_by = ActiveRecord::Base.connection.quote_column_name(AtomicTenant.tenanted_by)
+
+    ActiveRecord::Base.connection.execute("ALTER TABLE #{safe_table_name} ENABLE ROW LEVEL SECURITY")
+    ActiveRecord::Base.connection.execute <<~SQL
+      CREATE POLICY #{policy_name}
+      ON #{safe_table_name}
+      TO #{app_username}
+      USING (#{tenanted_by} = NULLIF(current_setting(#{rls_setting_name}, TRUE), '')::bigint)
+    SQL
+  end
+
+  def self.remove_row_level_security(table_name)
+    safe_table_name = ActiveRecord::Base.connection.quote_table_name(table_name)
+    policy_name = ActiveRecord::Base.connection.quote_table_name("#{table_name}_tenant_enforcement")
+    ActiveRecord::Base.connection.execute("DROP POLICY #{policy_name} ON #{safe_table_name}")
+    ActiveRecord::Base.connection.execute("ALTER TABLE #{safe_table_name} DISABLE ROW LEVEL SECURITY")
+  end
+end

data/lib/atomic_tenant/tenant_switching.rb

@@ -0,0 +1,73 @@
+module AtomicTenant::TenantSwitching
+  extend ActiveSupport::Concern
+
+  included do
+    validates :key, presence: true, uniqueness: true
+
+    def self.switch!(tenant = nil)
+      if tenant
+        connection.clear_query_cache
+        Thread.current[:tenant] = tenant
+
+        variable = ActiveRecord::Base.connection.quote_column_name("rls.#{AtomicTenant.tenanted_by}")
+        query = "SET #{variable} = %s"
+        ActiveRecord::Base.connection.exec_query(query % connection.quote(tenant.id), 'SQL')
+      else
+        reset!
+      end
+    end
+
+    def self.reset!
+      connection.clear_query_cache
+      Thread.current[:tenant] = nil
+
+      variable = ActiveRecord::Base.connection.quote_column_name("rls.#{AtomicTenant.tenanted_by}")
+      query = "RESET #{variable}"
+      ActiveRecord::Base.connection.exec_query(query, 'SQL')
+    end
+
+    def self.switch_tenant_legacy!(tenant_key = nil)
+      if tenant_key
+        tenant = tenant_from_key!(tenant_key)
+        switch!(tenant)
+      else
+        reset!
+      end
+    end
+
+    def self.current_key
+      Thread.current[:tenant]&.key || 'public'
+    end
+
+    def self.current
+      Thread.current[:tenant]
+    end
+
+    def self.switch_tenant_legacy(tenant_key, &block)
+      tenant = tenant_from_key!(tenant_key)
+      switch(tenant, &block)
+    end
+
+    def self.tenant_from_key!(tenant_key)
+      tenant = AtomicTenant.tenant_model.find_by(key: tenant_key)
+      raise AtomicTenant::Exceptions::InvalidTenantKeyError, tenant_key unless tenant.present?
+
+      tenant
+    end
+
+    def self.switch(tenant, &block)
+      previous_tenant = Thread.current[:tenant]
+
+      begin
+        switch!(tenant)
+        block.call
+      ensure
+        if previous_tenant.present?
+          switch!(previous_tenant)
+        else
+          reset!
+        end
+      end
+    end
+  end
+end

data/lib/atomic_tenant/tenantable.rb

@@ -0,0 +1,91 @@
+module AtomicTenant::Tenantable
+  extend ActiveSupport::Concern
+
+  @public_tenanted_models = Set.new
+  @private_tenanted_models = Set.new
+
+  class << self
+    attr_reader :public_tenanted_models, :private_tenanted_models
+
+    def register_public_tenanted_model(model)
+      @public_tenanted_models.add(model)
+      @private_tenanted_models.delete(model)
+    end
+
+    def register_private_tenanted_model(model)
+      @private_tenanted_models.add(model)
+      @public_tenanted_models.delete(model)
+    end
+
+    def verify_tenanted(model)
+      query = <<~SQL
+        SELECT relrowsecurity
+        FROM pg_class
+        WHERE relname = $1;
+      SQL
+
+      result = ActiveRecord::Base.connection.exec_query(
+        query,
+        'SQL',
+        [
+          ActiveRecord::Relation::QueryAttribute.new(
+            'relname',
+            model.table_name,
+            ActiveRecord::Type::String.new
+          )
+        ]
+      )
+
+      return if result.first['relrowsecurity']
+
+      raise "Model #{model.name} is not public but does not have row level security. Did you forget to add row level security in your migration?"
+    end
+  end
+
+  included do
+    class_attribute :is_tenanted, instance_writer: false, default: true
+
+    before_create :set_tenant_id
+    before_validation :set_tenant_id, on: :create
+    validate :in_current_tenant
+
+    def self.inherited(subclass)
+      super
+
+      return unless subclass <= ActiveRecord::Base && !subclass.abstract_class?
+
+      AtomicTenant::Tenantable.register_private_tenanted_model(subclass)
+    end
+
+    private
+
+    def set_tenant_id
+      return unless self.class.is_tenanted?
+
+      tenant = AtomicTenant.tenant_model.current
+      raise AtomicTenant::Exceptions::TenantNotSet unless tenant.present?
+
+      self[AtomicTenant.tenanted_by] = tenant.id
+    end
+
+    def in_current_tenant
+      return unless self.class.is_tenanted?
+
+      tenant = AtomicTenant.tenant_model.current
+      raise AtomicTenant::Exceptions::TenantNotSet unless tenant.present?
+
+      return unless self[AtomicTenant.tenanted_by] != tenant.id
+
+      errors.add(AtomicTenant.tenanted_by, "must be set to the current tenant's id")
+    end
+  end
+
+  class_methods do
+    private
+
+    def set_public_tenanted
+      AtomicTenant::Tenantable.register_public_tenanted_model(self)
+      self.is_tenanted = false
+    end
+  end
+end

data/lib/atomic_tenant/version.rb

@@ -1,3 +1,3 @@
 module AtomicTenant
-  VERSION = '1.3.1'
+  VERSION = '1.4.0'
 end

data/lib/atomic_tenant.rb

@@ -5,6 +5,10 @@ require 'atomic_tenant/deployment_manager/client_id_strategy'
 require 'atomic_tenant/deployment_manager/deployment_manager_strategy'
 require 'atomic_tenant/engine'
 require 'atomic_tenant/current_application_instance_middleware'
+require 'atomic_tenant/tenant_switching'
+require 'atomic_tenant/row_level_security'
+require 'atomic_tenant/tenantable'
+require 'atomic_tenant/active_job'
 
 module AtomicTenant
   mattr_accessor :custom_strategies
@@ -13,9 +17,18 @@ module AtomicTenant
   mattr_accessor :jwt_aud
 
   mattr_accessor :admin_subdomain
-
+  mattr_accessor :tenants_table
+  mattr_accessor :db_tenant_restricted_user
 
   def self.get_application_instance(iss:, deployment_id:)
     AtomicTenant::LtiDeployment.find_by(iss: iss, deployment_id: deployment_id)
   end
+
+  def self.tenant_model
+    AtomicTenant.tenants_table.to_s.classify.constantize
+  end
+
+  def self.tenanted_by
+    "#{AtomicTenant.tenants_table.to_s.singularize}_id"
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: atomic_tenant
 version: !ruby/object:Gem::Version
-  version: 1.3.1
+  version: 1.4.0
 platform: ruby
 authors:
 - Nick Benoit
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-03 00:00:00.000000000 Z
+date: 2024-11-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: atomic_lti
@@ -19,7 +19,7 @@ dependencies:
         version: '1.3'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,21 +29,41 @@ dependencies:
         version: '1.3'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '7.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '9'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '7.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '9'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 description: Description of AtomicTenant.
 email:
 - nick.benoit@atomicjolt.com
@@ -64,6 +84,7 @@ files:
 - db/migrate/20220816223258_create_atomic_tenant_pinned_client_ids.rb
 - db/migrate/20240704002449_add_atomic_tenant_lti_deployment_platform_notification_status.rb
 - lib/atomic_tenant.rb
+- lib/atomic_tenant/active_job.rb
 - lib/atomic_tenant/canvas_content_migration.rb
 - lib/atomic_tenant/current_application_instance_middleware.rb
 - lib/atomic_tenant/deployment_manager/client_id_strategy.rb
@@ -73,6 +94,9 @@ files:
 - lib/atomic_tenant/engine.rb
 - lib/atomic_tenant/exceptions.rb
 - lib/atomic_tenant/jwt_token.rb
+- lib/atomic_tenant/row_level_security.rb
+- lib/atomic_tenant/tenant_switching.rb
+- lib/atomic_tenant/tenantable.rb
 - lib/atomic_tenant/version.rb
 - lib/tasks/atomic_tenant_tasks.rake
 homepage: https://example.com
@@ -94,7 +118,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.19
+rubygems_version: 3.5.16
 signing_key:
 specification_version: 4
 summary: Summary of AtomicTenant.