pg_rls 0.2.5 → 1.0.1

data/lib/pg_rls/active_record/connection_adapters/postgre_sql/check_rls_user_privileges.rb

@@ -0,0 +1,207 @@
+# frozen_string_literal: true
+
+module PgRls
+  module ActiveRecord
+    module ConnectionAdapters
+      module PostgreSQL
+        # This module contains the logic to validate user privileges
+        module CheckRlsUserPrivileges
+          include SqlHelperMethod
+
+          def check_rls_user_privileges!(role_name, schema = PgRls.schema, rls_role_group = PgRls.rls_role_group)
+            check_user_exists!(role_name) && check_user_in_rls_group!(role_name) &&
+              check_schema_usage_privilege!(rls_role_group, schema) &&
+              check_default_table_privileges!(rls_role_group,
+                                              schema) && check_default_sequence_privileges!(rls_role_group, schema)
+          end
+
+          def check_table_privileges!(role_name, schema, table_name)
+            execute_sql!(check_table_privileges_sql(role_name, schema, table_name))
+            true
+          rescue ::ActiveRecord::StatementInvalid => e
+            raise UserMissingTablePrivilegesError, e.message
+          end
+
+          def check_sequence_privileges!(role_name, schema, sequence_name)
+            execute_sql!(check_sequence_privileges_sql(role_name, schema, sequence_name))
+            true
+          rescue ::ActiveRecord::StatementInvalid => e
+            raise UserMissingSequencePrivilegesError, e.message
+          end
+
+          def check_table_rls_enabled!(table_name, schema = PgRls.schema)
+            execute_sql!(check_table_rls_enabled_sql(schema, table_name))
+            true
+          rescue ::ActiveRecord::StatementInvalid => e
+            raise TableRlsNotEnabledError, e.message
+          end
+
+          def check_table_user_policy_exists!(table_name, user, schema = PgRls.schema)
+            execute_sql!(check_table_user_policy_exists_sql(schema, table_name, user))
+            true
+          rescue ::ActiveRecord::StatementInvalid => e
+            raise TableUserPolicyDoesNotExistError, e.message
+          end
+
+          private
+
+          def check_user_exists!(role_name)
+            execute_sql!(check_user_exists_sql(role_name))
+            true
+          rescue ::ActiveRecord::StatementInvalid => e
+            raise UserDoesNotExistError, e.message
+          end
+
+          def check_user_in_rls_group!(role_name)
+            execute_sql!(check_user_in_rls_group_sql(role_name))
+            true
+          rescue ::ActiveRecord::StatementInvalid => e
+            raise UserNotInPgRlsGroupError, e.message
+          end
+
+          def check_schema_usage_privilege!(role_name, schema)
+            execute_sql!(check_schema_usage_privilege_sql(role_name, schema))
+            true
+          rescue ::ActiveRecord::StatementInvalid => e
+            raise UserMissingSchemaUsagePrivilegeError, e.message
+          end
+
+          def check_default_table_privileges!(role_name, schema)
+            execute_sql!(check_default_table_privileges_sql(role_name, schema))
+            true
+          rescue ::ActiveRecord::StatementInvalid => e
+            raise UserMissingTablePrivilegesError, e.message
+          end
+
+          def check_default_sequence_privileges!(role_name, schema)
+            execute_sql!(check_default_sequence_privileges_sql(role_name, schema))
+            true
+          rescue ::ActiveRecord::StatementInvalid => e
+            raise UserMissingSequencePrivilegesError, e.message
+          end
+
+          def check_user_exists_sql(role_name)
+            <<~SQL
+              DO $$ BEGIN
+                IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '#{role_name}') THEN
+                  RAISE EXCEPTION 'User % does not exist', '#{role_name}';
+                END IF;
+              END $$;
+            SQL
+          end
+
+          def check_user_in_rls_group_sql(role_name)
+            <<~SQL
+              DO $$ BEGIN
+                IF NOT EXISTS (
+                  SELECT FROM pg_catalog.pg_auth_members
+                    JOIN pg_roles AS rls_group ON rls_group.oid = pg_auth_members.roleid
+                    JOIN pg_roles AS rls_member ON rls_member.oid = pg_auth_members.member
+                    WHERE rls_group.rolname = 'rls_group' AND rls_member.rolname = '#{role_name}'
+                ) THEN
+                  RAISE EXCEPTION 'User % is not a member of pg_rls', '#{role_name}';
+                END IF;
+              END $$;
+            SQL
+          end
+
+          # defacl.defaclobjtype = 'r' because r stands for relation (table, view), S stands for sequence
+          # if needed more info visit https://www.postgresql.org/docs/9.6/catalog-pg-default-acl.html
+          def check_schema_usage_privilege_sql(role_name, schema)
+            <<~SQL
+              DO $$
+              BEGIN
+                IF NOT EXISTS (
+                  SELECT FROM pg_namespace n
+                  LEFT JOIN LATERAL aclexplode(n.nspacl) acl ON true LEFT JOIN pg_roles grantee_roles ON acl.grantee = grantee_roles.oid
+                  WHERE acl.privilege_type = 'USAGE' AND n.nspname = '#{schema}' AND grantee_roles.rolname = '#{role_name}'
+                ) THEN
+                  RAISE EXCEPTION 'User % is missing USAGE privilege on schema %', '#{role_name}', '#{schema}';
+                END IF;
+              END $$;
+            SQL
+          end
+
+          def check_default_table_privileges_sql(role_name, schema)
+            <<~SQL
+              DO $$ BEGIN
+                IF NOT EXISTS (
+                  SELECT FROM pg_default_acl defacl JOIN pg_namespace n ON defacl.defaclnamespace = n.oid LEFT JOIN LATERAL aclexplode(defacl.defaclacl) acl ON true
+                  LEFT JOIN pg_roles r_grantee ON r_grantee.oid = acl.grantee WHERE r_grantee.rolname = '#{role_name}' AND n.nspname = '#{schema}' AND defacl.defaclobjtype = 'r'
+                  AND acl.privilege_type IN ('SELECT', 'INSERT', 'UPDATE', 'DELETE') GROUP BY n.nspname, defacl.defaclobjtype, r_grantee.rolname HAVING COUNT(DISTINCT acl.privilege_type) = 4
+                ) THEN
+                  RAISE EXCEPTION 'User % is missing one or more of SELECT, INSERT, UPDATE, DELETE privileges on tables in schema %', '#{role_name}', '#{schema}';
+                END IF;
+              END $$;
+            SQL
+          end
+
+          def check_table_privileges_sql(role_name, schema, table_name)
+            <<~SQL
+              DO $$ BEGIN
+                IF NOT EXISTS (
+                  SELECT FROM pg_class c JOIN pg_namespace n ON c.relnamespace = n.oid LEFT JOIN LATERAL aclexplode(c.relacl) acl ON true LEFT JOIN pg_roles r_grantee ON r_grantee.oid = acl.grantee
+                  WHERE r_grantee.rolname = '#{role_name}' AND n.nspname = '#{schema}' AND c.relname = '#{table_name}' AND acl.privilege_type IN ('SELECT', 'INSERT', 'UPDATE', 'DELETE')
+	                GROUP BY n.nspname, c.relname, r_grantee.rolname HAVING COUNT(DISTINCT acl.privilege_type) = 4
+                ) THEN
+                  RAISE EXCEPTION 'User % is missing one or more of SELECT, INSERT, UPDATE, DELETE privileges on table % in schema %', '#{role_name}', '#{table_name}', '#{schema}';
+                END IF;
+              END $$;
+            SQL
+          end
+
+          def check_default_sequence_privileges_sql(role_name, schema)
+            <<~SQL
+              DO $$ BEGIN
+                IF NOT EXISTS (
+                  SELECT FROM pg_default_acl defacl JOIN pg_namespace n ON defacl.defaclnamespace = n.oid LEFT JOIN LATERAL aclexplode(defacl.defaclacl) acl ON true
+                  LEFT JOIN pg_roles r_grantee ON r_grantee.oid = acl.grantee WHERE r_grantee.rolname = '#{role_name}' AND n.nspname = '#{schema}' AND defacl.defaclobjtype = 'S'
+                  AND acl.privilege_type IN ('SELECT', 'USAGE') GROUP BY n.nspname, defacl.defaclobjtype, r_grantee.rolname HAVING COUNT(DISTINCT acl.privilege_type) = 2
+                ) THEN
+                  RAISE EXCEPTION 'User % is missing USAGE and/or SELECT privileges on sequences in schema %', '#{role_name}', '#{schema}';
+                END IF; END $$;
+            SQL
+          end
+
+          def check_sequence_privileges_sql(role_name, schema, sequence_name)
+            <<~SQL
+              DO $$ BEGIN
+                IF NOT EXISTS (
+                  SELECT FROM pg_class c JOIN pg_namespace n ON c.relnamespace = n.oid LEFT JOIN LATERAL aclexplode(c.relacl) acl ON true LEFT JOIN pg_roles r_grantee ON r_grantee.oid = acl.grantee
+                  WHERE r_grantee.rolname = '#{role_name}' AND n.nspname = '#{schema}' AND c.relname = '#{sequence_name}' AND acl.privilege_type IN ('SELECT', 'USAGE')
+                  GROUP BY n.nspname, c.relname, r_grantee.rolname HAVING COUNT(DISTINCT acl.privilege_type) = 2
+                ) THEN
+                  RAISE EXCEPTION 'User % is missing USAGE and/or SELECT privileges on sequence % in schema %', '#{role_name}', '#{sequence_name}', '#{schema}';
+                END IF;
+              END $$;
+            SQL
+          end
+
+          def check_table_rls_enabled_sql(schema, table_name)
+            <<~SQL
+              DO $$ BEGIN
+                IF NOT EXISTS (
+                  SELECT FROM pg_policies WHERE schemaname = '#{schema}' AND tablename = '#{table_name}'
+                ) THEN
+                  RAISE EXCEPTION 'RLS is not enabled on table %', '#{table_name}';
+                END IF;
+              END $$;
+            SQL
+          end
+
+          def check_table_user_policy_exists_sql(schema, table_name, user)
+            <<~SQL
+              DO $$ BEGIN
+                IF NOT EXISTS (
+                  SELECT FROM pg_policies WHERE schemaname = '#{schema}' AND tablename = '#{table_name}' AND policyname = '#{schema}_#{table_name}_#{user}'
+                ) THEN
+                  RAISE EXCEPTION 'Policy %_% does not exist', '#{table_name}', '#{user}';
+                END IF;
+              END $$;
+            SQL
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pg_rls/active_record/connection_adapters/postgre_sql/errors.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module PgRls
+  module ActiveRecord
+    module ConnectionAdapters
+      module PostgreSQL
+        class UserDoesNotExistError < PgRls::Error; end
+        class UserNotInPgRlsGroupError < PgRls::Error; end
+        class UserMissingSchemaUsagePrivilegeError < PgRls::Error; end
+        class UserMissingTablePrivilegesError < PgRls::Error; end
+        class UserMissingSequencePrivilegesError < PgRls::Error; end
+        class TableRlsNotEnabledError < PgRls::Error; end
+        class TableUserPolicyDoesNotExistError < PgRls::Error; end
+      end
+    end
+  end
+end

data/lib/pg_rls/active_record/connection_adapters/postgre_sql/grant_rls_user_privileges.rb

@@ -0,0 +1,167 @@
+# frozen_string_literal: true
+
+module PgRls
+  module ActiveRecord
+    module ConnectionAdapters
+      module PostgreSQL
+        # This module contains the logic to grant user privileges
+        module GrantRlsUserPrivileges
+          include SqlHelperMethod
+
+          def grant_rls_user_privileges(schema = PgRls.schema, role_name = PgRls.rls_role_group)
+            grant_schema_usage(schema, role_name)
+            grant_schema_migration_table_privileges(schema, role_name)
+            grant_default_sequence_privileges(schema, role_name)
+            grant_default_table_privileges(schema, role_name)
+            grant_existing_table_privileges(schema, role_name)
+            grant_existing_sequence_privileges(schema, role_name)
+          end
+
+          def revoke_rls_user_privileges(schema = PgRls.schema, role_name = PgRls.rls_role_group)
+            revoke_schema_usage(schema, role_name)
+            revoke_schema_migration_table_privileges(schema, role_name)
+            revoke_default_sequence_privileges(schema, role_name)
+            revoke_default_table_privileges(schema, role_name)
+            revoke_existing_table_privileges(schema, role_name)
+            revoke_existing_sequence_privileges(schema, role_name)
+          end
+
+          private
+
+          def revoke_schema_migration_table_privileges(schema, role_name)
+            statement = <<~SQL
+              REVOKE ALL PRIVILEGES ON TABLE #{schema}.schema_migrations FROM #{role_name};
+            SQL
+            execute_sql!(statement)
+          end
+
+          def revoke_schema_usage(schema, role_name)
+            execute_sql!(revoke_schema_usage_sql(schema, role_name))
+          end
+
+          def revoke_default_sequence_privileges(schema, role_name)
+            execute_sql!(revoke_default_sequence_privileges_sql(schema, role_name))
+          end
+
+          def revoke_default_table_privileges(schema, role_name)
+            execute_sql!(revoke_default_table_privileges_sql(schema, role_name))
+          end
+
+          def revoke_existing_table_privileges(schema, role_name)
+            execute_sql!(revoke_existing_table_privileges_sql(schema, role_name))
+          end
+
+          def revoke_existing_sequence_privileges(schema, role_name)
+            execute_sql!(revoke_existing_sequence_privileges_sql(schema, role_name))
+          end
+
+          def grant_schema_migration_table_privileges(schema, role_name)
+            statement = <<~SQL
+              DO $$ BEGIN
+                IF EXISTS (
+                  SELECT FROM pg_catalog.pg_tables WHERE schemaname = '#{schema}' AND tablename = 'schema_migrations'
+                ) THEN
+                 GRANT ALL PRIVILEGES ON TABLE #{schema}.schema_migrations TO #{role_name};
+                END IF;
+              END $$;
+            SQL
+            execute_sql!(statement)
+          end
+
+          def grant_schema_usage(schema, role_name)
+            statement = <<~SQL
+              GRANT USAGE ON SCHEMA #{schema} TO #{role_name};
+            SQL
+            execute_sql!(statement)
+          end
+
+          def grant_default_sequence_privileges(schema, role_name)
+            statement = <<~SQL
+              ALTER DEFAULT PRIVILEGES IN SCHEMA #{schema}
+                GRANT USAGE, SELECT ON SEQUENCES TO #{role_name};
+            SQL
+            execute_sql!(statement)
+          end
+
+          def grant_default_table_privileges(schema, role_name)
+            statement = <<~SQL
+              ALTER DEFAULT PRIVILEGES IN SCHEMA #{schema}
+                GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO #{role_name};
+            SQL
+            execute_sql!(statement)
+          end
+
+          def grant_existing_table_privileges(schema, role_name)
+            statement = <<~SQL
+              GRANT SELECT, INSERT, UPDATE, DELETE
+                ON ALL TABLES IN SCHEMA #{schema} TO #{role_name};
+            SQL
+            execute_sql!(statement)
+          end
+
+          def grant_existing_sequence_privileges(schema, role_name)
+            statement = <<~SQL
+              GRANT USAGE, SELECT
+                ON ALL SEQUENCES IN SCHEMA #{schema} TO #{role_name};
+            SQL
+            execute_sql!(statement)
+          end
+
+          def revoke_schema_usage_sql(schema, role_name)
+            statement = <<~SQL
+              REVOKE USAGE ON SCHEMA #{schema} FROM #{role_name};
+            SQL
+
+            role_applicable_sql_statement(role_name, statement)
+          end
+
+          def revoke_default_sequence_privileges_sql(schema, role_name)
+            statement = <<~SQL
+              ALTER DEFAULT PRIVILEGES IN SCHEMA #{schema}
+                REVOKE USAGE, SELECT ON SEQUENCES FROM #{role_name};
+            SQL
+
+            role_applicable_sql_statement(role_name, statement)
+          end
+
+          def revoke_default_table_privileges_sql(schema, role_name)
+            statement = <<~SQL
+              ALTER DEFAULT PRIVILEGES IN SCHEMA #{schema}
+                REVOKE SELECT, INSERT, UPDATE, DELETE ON TABLES FROM #{role_name};
+            SQL
+
+            role_applicable_sql_statement(role_name, statement)
+          end
+
+          def revoke_existing_table_privileges_sql(schema, role_name)
+            statement = <<~SQL
+              REVOKE SELECT, INSERT, UPDATE, DELETE
+                ON ALL TABLES IN SCHEMA #{schema} FROM #{role_name};
+            SQL
+
+            role_applicable_sql_statement(role_name, statement)
+          end
+
+          def revoke_existing_sequence_privileges_sql(schema, role_name)
+            statement = <<~SQL
+              REVOKE USAGE, SELECT
+                ON ALL SEQUENCES IN SCHEMA #{schema} FROM #{role_name};
+            SQL
+
+            role_applicable_sql_statement(role_name, statement)
+          end
+
+          def role_applicable_sql_statement(role_name, statement)
+            <<~SQL
+              DO $do$ BEGIN
+                IF EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '#{role_name}') THEN
+                  #{statement}
+                END IF;
+              END $do$;
+            SQL
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pg_rls/active_record/connection_adapters/postgre_sql/rls_functions.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module PgRls
+  module ActiveRecord
+    module ConnectionAdapters
+      module PostgreSQL
+        # This module contains the logic to create, drop and validate RLS functions
+        module RlsFunctions
+          include SqlHelperMethod
+
+          def function_exists?(function_name)
+            query = <<~SQL
+              SELECT 1
+              FROM pg_proc
+              WHERE proname = '#{function_name}'
+            SQL
+
+            execute_sql!(query).any?
+          end
+
+          def create_rls_functions
+            create_rls_exception
+            create_tenant_id_setter_function
+            create_tenant_id_update_blocker_function
+          end
+
+          def drop_rls_functions
+            drop_function("tenant_id_setter")
+            drop_function("rls_exception")
+            drop_function("tenant_id_update_blocker")
+          end
+
+          private
+
+          def create_function(name, body)
+            query = <<~SQL
+              CREATE OR REPLACE FUNCTION #{name}()
+                RETURNS TRIGGER LANGUAGE plpgsql AS $$
+                #{body}
+                $$;
+            SQL
+
+            execute_sql!(query)
+          end
+
+          def drop_function(name)
+            query = <<~SQL
+              DROP FUNCTION IF EXISTS #{name}() CASCADE;
+            SQL
+
+            execute_sql!(query)
+          end
+
+          def create_rls_exception
+            body = <<~SQL
+              BEGIN
+                RAISE EXCEPTION 'This column is guarded due to tenancy dependency';
+              END
+            SQL
+
+            create_function("rls_exception", body)
+          end
+
+          def create_tenant_id_setter_function
+            body = <<~SQL
+              BEGIN
+                new.tenant_id:= (current_setting('rls.tenant_id'));
+                RETURN NEW;
+              END;
+            SQL
+
+            create_function("tenant_id_setter", body)
+          end
+
+          def create_tenant_id_update_blocker_function
+            body = <<~SQL
+              BEGIN
+                IF OLD.tenant_id IS NOT NULL AND NEW.tenant_id != OLD.tenant_id THEN
+                  RAISE EXCEPTION 'Updating tenant_id is not allowed';
+                END IF;
+                RETURN NEW;
+              END;
+            SQL
+
+            create_function("tenant_id_update_blocker", body)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pg_rls/active_record/connection_adapters/postgre_sql/rls_policies.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module PgRls
+  module ActiveRecord
+    module ConnectionAdapters
+      module PostgreSQL
+        # This module contains the logic to grant user privileges
+        module RlsPolicies
+          include SqlHelperMethod
+
+          def enable_table_rls(table_name, user = PgRls.username, schema = PgRls.schema)
+            execute_sql!(create_rls_policy_sql(schema, table_name, user))
+            execute_sql!(enable_row_level_security_sql(schema, table_name))
+          end
+
+          def disable_table_rls(table_name, user = PgRls.username, schema = PgRls.schema)
+            execute_sql!(drop_rls_policy_sql(schema, table_name, user))
+            execute_sql!(disable_row_level_security_sql(schema, table_name))
+          end
+
+          private
+
+          def drop_rls_policy_sql(schema, table_name, user)
+            <<~SQL
+              DROP POLICY IF EXISTS #{schema}_#{table_name}_#{user}
+                ON #{schema}.#{table_name};
+            SQL
+          end
+
+          def disable_row_level_security_sql(schema, table_name)
+            <<~SQL
+              ALTER TABLE IF EXISTS #{schema}_#{table_name}
+                DISABLE ROW LEVEL SECURITY;
+            SQL
+          end
+
+          def create_rls_policy_sql(schema, table_name, user)
+            <<~SQL
+              CREATE POLICY #{schema}_#{table_name}_#{user}
+                ON #{schema}.#{table_name}
+                TO #{user}
+                USING (tenant_id = NULLIF(current_setting('rls.tenant_id', TRUE), '')::uuid);
+            SQL
+          end
+
+          def enable_row_level_security_sql(schema, table_name)
+            <<~SQL
+              ALTER TABLE #{schema}.#{table_name}
+                ENABLE ROW LEVEL SECURITY;
+            SQL
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pg_rls/active_record/connection_adapters/postgre_sql/rls_triggers.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+module PgRls
+  module ActiveRecord
+    module ConnectionAdapters
+      module PostgreSQL
+        # This module contains the logic to create, drop and validate RLS functions
+        module RlsTriggers
+          include SqlHelperMethod
+
+          def trigger_exists?(table_name, function_name, schema = PgRls.schema)
+            query = <<~SQL
+              SELECT 1
+              FROM pg_trigger
+              WHERE tgname = '#{schema}_#{table_name}_#{function_name}_trigger';
+            SQL
+
+            execute_sql!(query).any?
+          end
+
+          def append_tenant_table_triggers(table_name, schema = PgRls.schema)
+            create_rls_exception_trigger(schema, table_name)
+          end
+
+          def append_rls_table_triggers(table_name, schema = PgRls.schema)
+            create_tenant_id_setter_trigger(schema, table_name)
+            create_tenant_id_update_blocker_trigger(schema, table_name)
+          end
+
+          def drop_tenant_table_triggers(table_name, schema = PgRls.schema)
+            drop_trigger(schema, table_name, "#{schema}_#{table_name}_rls_exception_trigger")
+          end
+
+          def drop_rls_table_triggers(table_name, schema = PgRls.schema)
+            drop_trigger(schema, table_name, "#{schema}_#{table_name}_tenant_id_setter_trigger")
+            drop_trigger(schema, table_name, "#{schema}_#{table_name}_tenant_id_update_blocker_trigger")
+          end
+
+          private
+
+          def drop_trigger(schema, table_name, trigger_name)
+            query = <<~SQL
+              DROP TRIGGER IF EXISTS #{trigger_name} ON #{schema}.#{table_name};
+            SQL
+
+            execute_sql!(query)
+          end
+
+          def create_trigger(schema, table_name, trigger_name, function_name, timing, event) # rubocop:disable Metrics/ParameterLists
+            query = <<~SQL
+              CREATE TRIGGER #{trigger_name}
+                #{timing} #{event} ON #{schema}.#{table_name}
+                FOR EACH ROW EXECUTE PROCEDURE #{function_name}();
+            SQL
+
+            execute_sql!(query)
+          end
+
+          def create_rls_exception_trigger(schema, table_name)
+            create_trigger(
+              schema,
+              table_name,
+              "#{schema}_#{table_name}_rls_exception_trigger",
+              "rls_exception",
+              "BEFORE",
+              "UPDATE OF tenant_id"
+            )
+          end
+
+          def create_tenant_id_setter_trigger(schema, table_name)
+            create_trigger(
+              schema,
+              table_name,
+              "#{schema}_#{table_name}_tenant_id_setter_trigger",
+              "tenant_id_setter",
+              "BEFORE",
+              "INSERT"
+            )
+          end
+
+          def create_tenant_id_update_blocker_trigger(schema, table_name)
+            create_trigger(
+              schema,
+              table_name,
+              "#{schema}_#{table_name}_tenant_id_update_blocker_trigger",
+              "tenant_id_update_blocker",
+              "BEFORE",
+              "UPDATE OF tenant_id"
+            )
+          end
+        end
+      end
+    end
+  end
+end