granar 0.1.1

data/db/migrate/20220411133054_create_rbac_rls_permissions.rb

@@ -0,0 +1,18 @@
+class CreateRbacRlsPermissions < ActiveRecord::Migration[7.0]
+  def change
+    create_table :permissions do |t|
+      t.string :name, limit: 30
+      t.string :table_name, limit: 255, null: false
+      t.boolean :read, default: false
+      t.boolean :write, default: false
+      t.boolean :change, default: false
+      t.boolean :remove, default: false
+      t.boolean :owner_read, default: false
+      t.boolean :owner_change, default: false
+      t.boolean :owner_remove, default: false
+      t.references :permission, null: true, index: true
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20220425212731_create_role_permissions.rb

@@ -0,0 +1,9 @@
+class CreateRolePermissions < ActiveRecord::Migration[7.0]
+  def change
+    create_table :role_permissions do |t|
+      t.references :role, null: false, foreign_key: true
+      t.references :permission, null: false, foreign_key: true
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20220912104712_create_rbac_rls_groups.rb

@@ -0,0 +1,10 @@
+class CreateRbacRlsGroups < ActiveRecord::Migration[7.0]
+  def change
+    create_table :groups do |t|
+      t.string :name, limit: 60
+      t.string :comments, limit: 255
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20220912104929_create_rbac_rls_group_permissions.rb

@@ -0,0 +1,12 @@
+class CreateRbacRlsGroupPermissions < ActiveRecord::Migration[7.0]
+  def change
+    create_table :group_permissions do |t|
+      t.references :permission, null: false, foreign_key: true
+      t.references :group, null: false, foreign_key: true
+      t.string :table_key, null: false, limit: 60
+      t.string :table_value, null: false, limit: 60
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20220914004802_create_rbac_rls_group_users.rb

@@ -0,0 +1,10 @@
+class CreateRbacRlsGroupUsers < ActiveRecord::Migration[7.0]
+  def change
+    create_table :group_users do |t|
+      t.references :user, null: false, foreign_key: true
+      t.references :group, null: false, foreign_key: true
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20220914004803_create_basic_permissions_for_application_acess.rb

@@ -0,0 +1,18 @@
+class CreateBasicPermissionsForApplicationAcess < ActiveRecord::Migration[7.0]
+  def change
+    schema = 'public'
+    user = 'app_user'
+    where_schema = ->(schema_name = nil) do
+      schema_name.present? ? "WHERE table_schema  = '#{schema_name}'" : ''
+    end
+
+    sql = "SELECT table_name FROM information_schema.tables #{where_schema[schema]}"
+    result = ActiveRecord::Base.connection.select_all(sql)
+    tables = result.map { |k| k['table_name'] }
+    tables&.each do |table|
+      execute "GRANT ALL PRIVILEGES on #{schema}.#{table}  TO #{user}"
+    end
+
+    execute 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO app_user'
+  end
+end

data/lib/generators/generator_helpers.rb

@@ -0,0 +1,8 @@
+module RbacRls
+  module Generators
+    # Some helpers for generating scaffolding
+    module GeneratorHelpers
+      attr_accessor :options, :attributes
+    end
+  end
+end

data/lib/generators/rbac_rls/custom_migration_generator.rb

@@ -0,0 +1,78 @@
+# class_option :skip_show, type: :boolean, default: false, desc: 'Skip "show" action'
+# class_option :attributes, type: :hash, default: {}
+# require 'rails/generators'
+#  exemplo: # rails generate rbac_rls:custom_migration  products
+
+require 'rails/command/base'
+require 'rails/generators/named_base'
+require 'generators/generator_helpers'
+require 'rails/generators/rails/migration/migration_generator'
+require 'rails/generators/migration'
+require 'active_record/migration'
+require 'thor/actions/inject_into_file'
+module Rails
+  module Generators
+    module Migration
+      module ClassMethods
+        def next_migration_number(dirname)
+          next_migration_number = current_migration_number(dirname) + 1
+          ActiveRecord::Migration.next_migration_number(next_migration_number)
+        end
+      end
+    end
+  end
+end
+#deve se sobrescrever os tipos pois será criado um  novo tipo para o row level security
+# ActiveRecord::Base.connection.native_database_types
+ActiveRecord::Base.connection.class_eval do
+  def native_database_types # :nodoc:
+    { role: { name: "rls" },
+      all: { name: "rls" },
+      user: { name: "rls" }, }
+  end
+end
+
+#
+module RbacRls
+  module Generators
+    class CustomMigrationGenerator < Rails::Generators::NamedBase
+      attr_accessor :time_now
+      argument :attributes, type: :array, default: [], banner: "field[:type][:index] field[:type][:index]"
+
+      class_option :permission_identifier, type: :string, default: Time.now.getutc.to_i.to_s, desc: ''
+      # class_option :sufix_migration_name, type: :string, default: Time.now.getutc.to_i.to_s, desc: ''
+      include Rails::Generators::Migration
+      include RbacRls::Generators::GeneratorHelpers
+      # ActiveRecord::ConnectionAdapters::SchemaStatements
+      # include Rails::Generators::MigrationGenerator
+      # ActiveRecord::ConnectionAdapters::Table
+      # Rails::Generators::Error
+      # ActiveRecord::Base.connection.valid_type?
+
+      source_root File.expand_path('../templates', __FILE__)
+
+      def migration_define_template
+        attrs = attributes.map { |i| i.name }
+        str = attrs.join('_')
+
+        migration_template('../templates/rls_migration.rb',
+                           File.join('db/migrate', "create_#{name.underscore}_#{options[:permission_identifier]}_policy.rb")
+        )
+      end
+
+    end
+  end
+end
+
+# def insert_code
+#   insert_into_file 'app/controllers/application_controller.rb', :before => "end" do
+#     "\n around_action :with_customer_id \n"
+#   end
+#   insert_into_file 'app/controllers/application_controller.rb', :before => "end" do
+#     "\ndef with_customer_id
+#         ApplicationRecord.with_customer_id(current_user.id) do
+#           yield
+#         end
+#       end\n"
+#   end
+# end

data/lib/generators/rbac_rls/group_permission_generator.rb

@@ -0,0 +1,57 @@
+#  exemplo: # rails generate rbac_rls:custom_migration  products
+
+require 'rails/command/base'
+require 'rails/generators/named_base'
+require 'generators/generator_helpers'
+require 'rails/generators/rails/migration/migration_generator'
+require 'rails/generators/migration'
+require 'active_record/migration'
+require 'thor/actions/inject_into_file'
+module Rails
+  module Generators
+    module Migration
+      module ClassMethods
+        def next_migration_number(dirname)
+          next_migration_number = current_migration_number(dirname) + 1
+          ActiveRecord::Migration.next_migration_number(next_migration_number)
+        end
+      end
+    end
+  end
+end
+
+#deve se sobrescrever os tipos pois será criado um  novo tipo para o row level security
+# ActiveRecord::Base.connection.native_database_types
+ActiveRecord::Base.connection.class_eval do
+  def native_database_types # :nodoc:
+    { table_key: { name: "rls" },
+      table_value: { name: "rls" },
+      user: { name: "rls" }, }
+  end
+end
+
+#
+module RbacRls
+  module Generators
+    class GroupPermissionGenerator < Rails::Generators::NamedBase
+      attr_accessor :time_now
+      argument :attributes, type: :array, default: [], banner: "field[:type][:index] field[:type][:index]"
+      class_option :identifier, type: :string, default: Time.now.getutc.to_i.to_s, desc: ''
+      include Rails::Generators::Migration
+      include RbacRls::Generators::GeneratorHelpers
+
+      source_root File.expand_path('../templates', __FILE__)
+
+      def migration_define_template
+        attrs = attributes.map { |i| i.name }
+        str = attrs.join('_')
+
+        full_name = "#{name}#{options[:identifier]}".underscore
+        # byebug
+        migration_template('../templates/group_permission_migration.rb',
+                           File.join('db/migrate', "create_#{full_name}_gpolicy.rb"))
+      end
+
+    end
+  end
+end

data/lib/generators/rbac_rls/templates/group_permission_migration.rb

@@ -0,0 +1,83 @@
+<%
+# rails generate rbac_rls:custom_migration  table_name
+time_now = Time.now.getutc.to_i
+attrs = attributes.map { |i| i.name.camelize }
+table_key = attributes.select{ |attr|  attr.type.to_sym == :table_key }.first.name
+table_value = attributes.select{ |attr|  attr.type.to_sym == :table_value }.first.name
+gen_table_name = name.underscore
+
+limit_policy_name = 63
+type_polices = {insert: :write,
+                select: :read,
+                update: :change,
+                delete: :remove}
+type_polices_owner = {select: :owner_read,
+                      update: :owner_change,
+                      delete: :owner_remove}
+# byebug
+%>
+class Create<%= "#{"#{name}#{options[:identifier]}".camelize}" %>Gpolicy < ActiveRecord::Migration[7.0]
+
+def change
+  <%
+            policy_name = ->(table_name,method) {  "p#{time_now}#{table_name}#{method}"[0,limit_policy_name] }
+  db_role = "app_user"
+  permission_id =  options[:permission_identifier]
+  owner_rls_policy = ->(type){
+    if type.to_sym != :insert
+      "
+      or
+              (
+              NULLIF(current_setting('rls.user_id', TRUE), '')::bigint in
+        (
+     SELECT
+          gu.user_id
+        FROM permissions p
+          INNER JOIN group_permissions gp   on gp.permission_id  = p.id
+            INNER JOIN group_users gu on gu.group_id   = gp.group_id
+        WHERE (p.\"#{type_polices[type.to_sym]}\")
+          AND p.table_name = '#{gen_table_name}'
+        )  and  owner_id = NULLIF(current_setting('rls.user_id', TRUE), '')::bigint  )
+      "
+    end
+  }
+  constraint_for_rls = ->(type) {"
+((
+  NULLIF(current_setting('rls.user_id', TRUE), '')::bigint in
+    (
+      SELECT
+      gu.user_id
+      FROM permissions p
+      INNER JOIN group_permissions gp   on gp.permission_id  = p.id
+      INNER JOIN group_users gu on gu.group_id   = gp.group_id
+      WHERE (p.\"#{type_polices[type.to_sym]}\")
+      AND p.table_name = '#{gen_table_name}'
+    )
+) #{owner_rls_policy[type]}  ) and  #{table_key.to_s} LIKE '%#{table_value}%'
+
+  "
+  }
+  %>
+
+    <% %i(insert select update delete).each  do |attr| %>
+  execute '<%="GRANT  #{attr} ON #{name} TO #{db_role}"%>'
+  execute '<%= "ALTER TABLE #{name} ENABLE ROW LEVEL SECURITY" %>'
+  reversible do |dir|
+    dir.up do
+      <%if  attr.to_sym  ==:insert  %>
+        execute <<-SQL
+          <%= "CREATE POLICY #{policy_name.(name, attr.to_sym)} ON #{name} for  #{attr.to_s} TO #{db_role} with check  (#{constraint_for_rls[attr.to_s]})" %>
+      SQL
+      <% elsif  %i(select update delete).include?(attr.to_sym)  %>
+        execute <<-SQL
+          <%= "CREATE POLICY #{policy_name.(name, attr.to_sym)} ON #{name} for  #{attr.to_s} TO #{db_role} using (#{constraint_for_rls[attr.to_s]})" %>
+      SQL
+      <%end%>
+    end
+  end
+  <% end %>
+
+
+
+end
+end

data/lib/generators/rbac_rls/templates/rls_migration.rb

@@ -0,0 +1,81 @@
+<%
+# rails generate rbac_rls:custom_migration  table_name
+time_now = Time.now.getutc.to_i
+attrs = attributes.map { |i| i.name.camelize }
+
+limit_policy_name = 63
+type_polices = {insert: :write,
+                select: :read,
+                update: :change,
+                delete: :remove}
+type_polices_owner = {select: :owner_read,
+                      update: :owner_change,
+                      delete: :owner_remove}
+%>
+
+class Create<%= "#{name.underscore.camelize}#{options[:permission_identifier]}" %>Policy < ActiveRecord::Migration[7.0]
+
+def change
+  <%
+            policy_name = ->(table_name,method) {  "p#{time_now}#{table_name}#{method}"[0,limit_policy_name] }
+  db_role = "app_user"
+  permission_id =  options[:permission_identifier]
+  owner_rls_policy = ->(type){
+    if type.to_sym != :insert
+      "
+      or
+              (
+              NULLIF(current_setting('rls.user_id', TRUE), '')::bigint in
+        (
+          SELECT
+            ur.user_id
+          FROM permissions p
+            INNER JOIN role_permissions rp  on rp.permission_id  = p.id
+              INNER JOIN user_roles ur  on rp.role_id  = ur.role_id
+          WHERE (p.\"#{type_polices_owner[type.to_sym]}\")
+            AND p.table_name = 'products'
+        )  and  owner_id = NULLIF(current_setting('rls.user_id', TRUE), '')::bigint  )
+      "
+    end
+  }
+  constraint_for_rls = ->(type) {"
+                 NULLIF(current_setting('rls.user_id', TRUE), '')::bigint in
+            (
+              SELECT
+                ur.user_id
+              FROM permissions p
+                INNER JOIN role_permissions rp  on rp.permission_id  = p.id
+                  INNER JOIN user_roles ur  on rp.role_id  = ur.role_id
+              WHERE (p.\"#{type_polices[type.to_sym]}\")
+                AND p.table_name = 'products'
+            )
+            #{owner_rls_policy[type]}
+  "
+  }
+  %>
+
+
+
+
+    <% %i(insert select update delete).each  do |attr| %>
+  execute '<%="GRANT  #{attr} ON #{name} TO #{db_role}"%>'
+  execute '<%= "ALTER TABLE #{name} ENABLE ROW LEVEL SECURITY" %>'
+  reversible do |dir|
+    dir.up do
+      <%if  attr.to_sym  ==:insert  %>
+        execute <<-SQL
+          <%= "CREATE POLICY #{policy_name.(name, attr.to_sym)} ON #{name} for  #{attr.to_s} TO #{db_role} with check  (#{constraint_for_rls[attr.to_s]})" %>
+      SQL
+      <% elsif  %i(select update delete).include?(attr.to_sym)  %>
+        execute <<-SQL
+          <%= "CREATE POLICY #{policy_name.(name, attr.to_sym)} ON #{name} for  #{attr.to_s} TO #{db_role} using (#{constraint_for_rls[attr.to_s]})" %>
+      SQL
+      <%end%>
+    end
+  end
+  <% end %>
+
+
+
+end
+end

data/lib/generators/rbac_rls/templates/rls_migration.rb.erb

@@ -0,0 +1,64 @@
+<%
+time_now = Time.now.getutc.to_i
+attrs = attributes.map { |i| i.name.camelize }
+str = attrs.join('')
+limit_policy_name = 63
+type_polices = {insert: :write,select: :read,update: :change, delete: :remove}
+type_polices_owner = {insert: :owner_write,select: :owner_read,update: :owner_change, delete: :owner_remove}
+
+%>
+
+class Create<%= "#{name.underscore.camelize}" %>Policy<%="#{}" %> < ActiveRecord::Migration[7.0]
+
+  def change
+    <%
+            policy_name = ->(table_name,method) {  "p#{time_now}#{table_name}#{method}"[0,limit_policy_name] }
+    db_role = "app_user"
+    permission_id =  options[:permission_identifier]
+
+    constraint_for_rls = ->(type) {"
+                 NULLIF(current_setting('rls.user_id', TRUE), '')::bigint in
+            (
+              SELECT
+                ur.user_id
+              FROM permissions p
+                INNER JOIN role_permissions rp  on rp.permission_id  = p.id
+                  INNER JOIN user_roles ur  on rp.role_id  = ur.role_id
+              WHERE (p.\"#{type_polices[type.to_sym]}\")
+                AND p.table_name = 'products'
+            )
+            or
+              (
+              NULLIF(current_setting('rls.user_id', TRUE), '')::bigint in
+        (
+          SELECT
+            ur.user_id
+          FROM permissions p
+            INNER JOIN role_permissions rp  on rp.permission_id  = p.id
+              INNER JOIN user_roles ur  on rp.role_id  = ur.role_id
+          WHERE (p.\"#{type_polices_owner[type.to_sym]}\")
+            AND p.table_name = 'products'
+        )  and  owner_id = NULLIF(current_setting('rls.user_id', TRUE), '')::bigint
+            )
+          "
+    }
+    %>
+    <% %i(insert select update delete).each  do |attr| %>
+    execute '<%="GRANT  #{attr} ON #{name} TO #{db_role}"%>'
+    execute '<%= "ALTER TABLE #{name} ENABLE ROW LEVEL SECURITY" %>'
+    reversible do |dir|
+      dir.up do
+        <%if  attr.to_sym  ==:insert  %>
+        execute <<-SQL
+          <%= "CREATE POLICY #{policy_name.(name, attr.to_sym)} ON #{name} for  #{attr.to_s} TO #{db_role} with check  (#{constraint_for_rls[attr.to_s]})" %>
+        SQL
+          <% elsif  %i(select update delete).include?(attr.to_sym)  %>
+        execute <<-SQL
+          <%= "CREATE POLICY #{policy_name.(name, attr.to_sym)} ON #{name} for  #{attr.to_s} TO #{db_role} using (#{constraint_for_rls[attr.to_s]})" %>
+        SQL
+        <%end%>
+      end
+    end
+    <% end %>
+  end
+end

data/lib/generators/rbac_rls/templates/rls_migration2.rb.erb

@@ -0,0 +1,80 @@
+<%
+time_now = Time.now.getutc.to_i
+attrs = attributes.map { |i| i.name.camelize }
+
+limit_policy_name = 63
+type_polices = {insert: :write,
+                select: :read,
+                update: :change,
+                 delete: :remove}
+type_polices_owner = {select: :owner_read,
+                      update: :owner_change,
+                      delete: :owner_remove}
+%>
+
+class Create<%= "#{name.underscore.camelize}#{options[:permission_identifier]}" %>Policy < ActiveRecord::Migration[7.0]
+
+  def change
+    <%
+            policy_name = ->(table_name,method) {  "p#{time_now}#{table_name}#{method}"[0,limit_policy_name] }
+    db_role = "app_user"
+    permission_id =  options[:permission_identifier]
+    owner_rls_policy = ->(type){
+      if type.to_sym != :insert
+        "
+      or
+              (
+              NULLIF(current_setting('rls.user_id', TRUE), '')::bigint in
+        (
+          SELECT
+            ur.user_id
+          FROM permissions p
+            INNER JOIN role_permissions rp  on rp.permission_id  = p.id
+              INNER JOIN user_roles ur  on rp.role_id  = ur.role_id
+          WHERE (p.\"#{type_polices_owner[type.to_sym]}\")
+            AND p.table_name = 'products'
+        )  and  owner_id = NULLIF(current_setting('rls.user_id', TRUE), '')::bigint  )
+      "
+      end
+    }
+    constraint_for_rls = ->(type) {"
+                 NULLIF(current_setting('rls.user_id', TRUE), '')::bigint in
+            (
+              SELECT
+                ur.user_id
+              FROM permissions p
+                INNER JOIN role_permissions rp  on rp.permission_id  = p.id
+                  INNER JOIN user_roles ur  on rp.role_id  = ur.role_id
+              WHERE (p.\"#{type_polices[type.to_sym]}\")
+                AND p.table_name = 'products'
+            )
+            #{owner_rls_policy[type]}
+    "
+    }
+    %>
+
+
+
+
+    <% %i(insert select update delete).each  do |attr| %>
+    execute '<%="GRANT  #{attr} ON #{name} TO #{db_role}"%>'
+    execute '<%= "ALTER TABLE #{name} ENABLE ROW LEVEL SECURITY" %>'
+    reversible do |dir|
+      dir.up do
+        <%if  attr.to_sym  ==:insert  %>
+        execute <<-SQL
+          <%= "CREATE POLICY #{policy_name.(name, attr.to_sym)} ON #{name} for  #{attr.to_s} TO #{db_role} with check  (#{constraint_for_rls[attr.to_s]})" %>
+        SQL
+          <% elsif  %i(select update delete).include?(attr.to_sym)  %>
+        execute <<-SQL
+          <%= "CREATE POLICY #{policy_name.(name, attr.to_sym)} ON #{name} for  #{attr.to_s} TO #{db_role} using (#{constraint_for_rls[attr.to_s]})" %>
+        SQL
+        <%end%>
+      end
+    end
+    <% end %>
+
+
+
+  end
+end

data/lib/rbac_rls/engine.rb

@@ -0,0 +1,21 @@
+require 'importmap-rails'
+require 'importmap/commands'
+require 'importmap/map'
+require 'importmap/packager'
+require 'importmap/reloader'
+
+require 'bootstrap'
+require 'vanilla_nested'
+require 'vanilla_nested/view_helpers'
+
+module RbacRls
+  class Engine < ::Rails::Engine
+    isolate_namespace RbacRls
+
+    # initializer "rbac_rls.precompile" do |app|
+    #   app.config.assets.paths << Rails.root.join('app/assets/javascripts')
+    #   app.config.assets.precompile << "application.js"
+    # end
+
+  end
+end

data/lib/rbac_rls/version.rb

@@ -0,0 +1,3 @@
+module RbacRls
+  VERSION = "0.1.1"
+end

data/lib/rbac_rls.rb

@@ -0,0 +1,6 @@
+require "rbac_rls/version"
+require "rbac_rls/engine"
+
+module RbacRls
+  # Your code goes here...
+end

data/lib/tasks/rbac_rls_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :rbac_rls do
+#   # Task goes here
+# end