rls_multi_tenant 0.1.0

data/lib/rls_multi_tenant/generators/migration/templates/enable_rls.rb

@@ -0,0 +1,27 @@
+class EnableRlsFor<%= table_name.camelize %> < ActiveRecord::Migration[<%= Rails.version.to_f %>]
+  def change
+    reversible do |dir|
+      dir.up do
+        # Enable Row Level Security
+        execute 'ALTER TABLE <%= table_name %> ENABLE ROW LEVEL SECURITY'
+        
+        # Create RLS policy
+        execute "CREATE POLICY <%= table_name %>_app_user ON <%= table_name %> TO #{ENV['<%= RlsMultiTenant.app_user_env_var %>']} USING (<%= RlsMultiTenant.tenant_id_column %> = NULLIF(current_setting('rls.tenant_id', TRUE), '')::uuid)"
+        
+        # Grant permissions
+        execute "GRANT SELECT, INSERT, UPDATE, DELETE ON <%= table_name %> TO #{ENV['<%= RlsMultiTenant.app_user_env_var %>']}"
+      end
+      
+      dir.down do
+        # Revoke permissions
+        execute "REVOKE SELECT, INSERT, UPDATE, DELETE ON <%= table_name %> FROM #{ENV['<%= RlsMultiTenant.app_user_env_var %>']}"
+        
+        # Drop policy
+        execute "DROP POLICY <%= table_name %>_app_user ON <%= table_name %>"
+        
+        # Disable RLS
+        execute "ALTER TABLE <%= table_name %> DISABLE ROW LEVEL SECURITY"
+      end
+    end
+  end
+end

data/lib/rls_multi_tenant/generators/migration/templates/enable_uuid_extension.rb

@@ -0,0 +1,5 @@
+class EnableUuidExtension < ActiveRecord::Migration[<%= Rails.version.to_f %>]
+  def change
+    enable_extension 'uuid-ossp'
+  end
+end

data/lib/rls_multi_tenant/generators/model/model_generator.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+require 'rails/generators'
+require 'ostruct'
+
+module RlsMultiTenant
+  module Generators
+    class ModelGenerator < Rails::Generators::Base
+      source_root File.expand_path("templates", __dir__)
+
+      argument :name, type: :string, desc: "Model name"
+      argument :attributes, type: :array, default: [], banner: "field:type field:type"
+
+      def initialize(args, *options)
+        super
+        @attributes = parse_attributes!
+      end
+
+      desc "Generate a multi-tenant model with RLS policies"
+
+      def create_model_file
+        template "model.rb", File.join("app/models", "#{model_name.underscore}.rb")
+      end
+
+      def create_migration
+        template "migration.rb", File.join("db/migrate", "#{migration_file_name}.rb")
+      end
+
+      def show_instructions
+        say "\n" + "="*60, :green
+        say "Multi-tenant model '#{model_name}' created successfully!", :green
+        say "="*60, :green
+        say "\nWhat was created:", :yellow
+        say "1. Model: app/models/#{model_name.underscore}.rb (with MultiTenant concern included)", :yellow
+        say "2. Migration: #{migration_file_name}.rb (with tenant_id column and RLS policies)", :yellow
+        say "\nNext steps:", :yellow
+        say "1. Run migrations: rails db_as:admin[migrate]", :yellow
+        say "2. The model is ready to use with multi-tenant functionality", :yellow
+        say "3. RLS policies are automatically configured", :yellow
+        say "="*60, :green
+      end
+
+      private
+
+      def model_name
+        @model_name ||= name.classify
+      end
+
+      def table_name
+        @table_name ||= name.underscore.pluralize
+      end
+
+      def migration_file_name
+        "#{migration_timestamp}_create_#{table_name}"
+      end
+
+      def migration_timestamp
+        Time.current.strftime("%Y%m%d%H%M%S")
+      end
+
+      def tenant_id_column
+        RlsMultiTenant.tenant_id_column
+      end
+
+      def tenant_class_name
+        RlsMultiTenant.tenant_class_name
+      end
+
+      def migration_class_name
+        "Create#{model_name.pluralize}"
+      end
+
+      def parse_attributes!
+        attributes.map do |attr|
+          name, type = attr.split(':')
+          OpenStruct.new(name: name, type: type || 'string')
+        end
+      end
+    end
+  end
+end

data/lib/rls_multi_tenant/generators/model/templates/migration.rb

@@ -0,0 +1,35 @@
+class <%= migration_class_name %> < ActiveRecord::Migration[<%= Rails.version.to_f %>]
+  def change
+    # Create the table
+    create_table :<%= table_name %>, id: :uuid do |t|
+      t.references :<%= tenant_id_column.to_s.gsub('_id', '') %>, null: false, foreign_key: { to_table: :<%= tenant_class_name.underscore.pluralize %> }, type: :uuid
+<% @attributes.each do |attribute| -%>
+      t.<%= attribute.type %> :<%= attribute.name %>
+<% end -%>
+
+      t.timestamps
+    end
+
+    # Enable Row Level Security
+    execute "ALTER TABLE <%= table_name %> ENABLE ROW LEVEL SECURITY"
+
+    reversible do |dir|
+      dir.up do
+        execute "GRANT SELECT, INSERT, UPDATE, DELETE ON <%= table_name %> TO #{ENV['<%= RlsMultiTenant.app_user_env_var %>']}"
+      end
+      dir.down do
+        execute "REVOKE SELECT, INSERT, UPDATE, DELETE ON <%= table_name %> FROM #{ENV['<%= RlsMultiTenant.app_user_env_var %>']}"
+      end
+    end
+
+    # Define RLS policy
+    reversible do |dir|
+      dir.up do
+        execute "CREATE POLICY <%= table_name %>_app_user ON <%= table_name %> TO #{ENV['<%= RlsMultiTenant.app_user_env_var %>']} USING (<%= tenant_id_column %> = NULLIF(current_setting('rls.<%= tenant_id_column %>', TRUE), '')::uuid)"
+      end
+      dir.down do
+        execute "DROP POLICY <%= table_name %>_app_user ON <%= table_name %>"
+      end
+    end
+  end
+end

data/lib/rls_multi_tenant/generators/model/templates/model.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class <%= model_name %> < ApplicationRecord
+  include RlsMultiTenant::Concerns::MultiTenant
+end

data/lib/rls_multi_tenant/generators/task/task_generator.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'rails/generators'
+
+module RlsMultiTenant
+  module Generators
+    class TaskGenerator < Rails::Generators::Base
+      source_root File.expand_path("templates", __dir__)
+
+      desc "Generate RLS Multi-tenant rake tasks"
+
+      def create_db_admin_task
+        template "db_admin.rake", "lib/tasks/db_admin.rake"
+        show_instructions
+      end
+
+      def show_instructions
+        say "\n" + "="*60, :green
+        say "RLS Multi-tenant rake tasks created successfully!", :green
+        say "="*60, :green
+        say "\nWhat was created:", :yellow
+        say "1. lib/tasks/db_admin.rake - Database admin tasks", :yellow
+        say "\nUsage:", :yellow
+        say "rails db_as:admin[migrate]    # Run migrations with admin privileges", :yellow
+        say "rails db_as:admin[seed]       # Run seeds with admin privileges", :yellow
+        say "\nNote: This is required because the app user doesn't have migration privileges", :yellow
+        say "="*60, :green
+      end
+    end
+  end
+end

data/lib/rls_multi_tenant/generators/task/templates/db_admin.rake

@@ -0,0 +1,24 @@
+namespace :db_as do
+  desc "Run a db: task with admin privileges. Usage: `rails db_as:admin[migrate]`"
+  task :admin, [:sub_task] do |t, args|
+    sub_task = args[:sub_task]
+
+    # Check if a sub-task was provided
+    if sub_task.nil? || !Rake::Task.task_defined?("db:#{sub_task}")
+      puts "Usage: rails db_as:admin[sub_task]"
+      puts "Valid sub-tasks: #{Rake.application.tasks.map(&:name).select { |name| name.start_with?("db:") }.map { |name| name.split(':', 2).last }.uniq.sort.join(', ')}"
+      exit
+    end
+
+    database_url = "postgresql://#{ENV['POSTGRES_USER']}:#{ENV['POSTGRES_PASSWORD']}@#{ENV['POSTGRES_HOST']}:5432/#{ENV['POSTGRES_DB']}"
+
+    # Set the DATABASE_URL with admin user details.
+    ENV['DATABASE_URL'] = database_url
+    ENV['CACHE_DATABASE_URL'] = "#{database_url}_cache"
+    ENV['QUEUE_DATABASE_URL'] = "#{database_url}_queue"
+    ENV['CABLE_DATABASE_URL'] = "#{database_url}_cable"
+
+    puts "Executing db:#{sub_task} with admin privileges..."
+    Rake::Task["db:#{sub_task}"].invoke
+  end
+end

data/lib/rls_multi_tenant/railtie.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module RlsMultiTenant
+  class Railtie < Rails::Railtie
+    # Load generators after Rails is fully initialized
+    initializer "rls_multi_tenant.load_generators", after: :set_routes_reloader do |app|
+      require "rls_multi_tenant/generators/install/install_generator"
+      require "rls_multi_tenant/generators/migration/migration_generator"
+      require "rls_multi_tenant/generators/model/model_generator"
+      require "rls_multi_tenant/generators/task/task_generator"
+    end
+
+    initializer "rls_multi_tenant.configure" do |app|
+      # Configure the gem
+      RlsMultiTenant.configure do |config|
+        config.tenant_class_name = "Tenant"
+        config.tenant_id_column = :tenant_id
+        config.app_user_env_var = "POSTGRES_APP_USER"
+        config.enable_security_validation = true
+      end
+    end
+
+    initializer "rls_multi_tenant.security_validation", after: :load_config_initializers do |app|
+      if RlsMultiTenant.enable_security_validation
+        app.config.after_initialize do
+          begin
+            RlsMultiTenant::SecurityValidator.validate_environment!
+            RlsMultiTenant::SecurityValidator.validate_database_user!
+          rescue => e
+            Rails.logger.error "RLS Multi-tenant initialization failed: #{e.message}"
+            raise e
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rls_multi_tenant/rls_helper.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module RlsMultiTenant
+  module RlsHelper
+    class << self
+      # Enable RLS on a table with a policy
+      def enable_rls_for_table(table_name, tenant_column: RlsMultiTenant.tenant_id_column, app_user: nil)
+        app_user ||= ENV[RlsMultiTenant.app_user_env_var]
+        
+        raise ConfigurationError, "App user not configured" if app_user.blank?
+
+        # Enable RLS
+        ActiveRecord::Base.connection.execute("ALTER TABLE #{table_name} ENABLE ROW LEVEL SECURITY")
+        
+        # Create policy (drop if exists first)
+        policy_name = "#{table_name}_app_user"
+        ActiveRecord::Base.connection.execute("DROP POLICY IF EXISTS #{policy_name} ON #{table_name}")
+        
+        policy_sql = "CREATE POLICY #{policy_name} ON #{table_name} TO #{app_user} " \
+                    "USING (#{tenant_column} = NULLIF(current_setting('rls.tenant_id', TRUE), '')::uuid)"
+        
+        ActiveRecord::Base.connection.execute(policy_sql)
+        
+        # Grant permissions
+        ActiveRecord::Base.connection.execute("GRANT SELECT, INSERT, UPDATE, DELETE ON #{table_name} TO #{app_user}")
+        
+        Rails.logger&.info "✅ RLS enabled for table #{table_name} with policy #{policy_name}"
+      end
+
+      # Disable RLS on a table
+      def disable_rls_for_table(table_name, app_user: nil)
+        app_user ||= ENV[RlsMultiTenant.app_user_env_var]
+        
+        raise ConfigurationError, "App user not configured" if app_user.blank?
+
+        # Revoke permissions
+        ActiveRecord::Base.connection.execute("REVOKE SELECT, INSERT, UPDATE, DELETE ON #{table_name} FROM #{app_user}")
+        
+        # Drop policy
+        policy_name = "#{table_name}_app_user"
+        ActiveRecord::Base.connection.execute("DROP POLICY IF EXISTS #{policy_name} ON #{table_name}")
+        
+        # Disable RLS
+        ActiveRecord::Base.connection.execute("ALTER TABLE #{table_name} DISABLE ROW LEVEL SECURITY")
+        
+        Rails.logger&.info "✅ RLS disabled for table #{table_name}"
+      end
+
+      # Check if RLS is enabled on a table
+      def rls_enabled?(table_name)
+        result = ActiveRecord::Base.connection.execute(
+          "SELECT relrowsecurity FROM pg_class WHERE relname = '#{table_name}'"
+        ).first
+        
+        result&.dig('relrowsecurity') == true
+      end
+
+      # Get all RLS policies for a table
+      def rls_policies(table_name)
+        ActiveRecord::Base.connection.execute(
+          "SELECT policyname, permissive, roles, cmd, qual FROM pg_policies WHERE tablename = '#{table_name}'"
+        )
+      end
+    end
+  end
+end

data/lib/rls_multi_tenant/rls_multi_tenant.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require "rls_multi_tenant/version"
+require "rls_multi_tenant/concerns/multi_tenant"
+require "rls_multi_tenant/concerns/tenant_context"
+require "rls_multi_tenant/security_validator"
+require "rls_multi_tenant/rls_helper"
+require "rls_multi_tenant/railtie" if defined?(Rails)
+
+module RlsMultiTenant
+  class Error < StandardError; end
+  class ConfigurationError < Error; end
+  class SecurityError < Error; end
+
+  # Configuration options
+  class << self
+    attr_accessor :tenant_class_name, :tenant_id_column, :app_user_env_var, :enable_security_validation
+
+    def configure
+      yield self
+    end
+
+    def tenant_class
+      @tenant_class ||= tenant_class_name.constantize
+    end
+
+    def tenant_id_column
+      @tenant_id_column ||= :tenant_id
+    end
+
+    def app_user_env_var
+      @app_user_env_var ||= "POSTGRES_APP_USER"
+    end
+
+    def enable_security_validation
+      @enable_security_validation.nil? ? true : @enable_security_validation
+    end
+  end
+
+  # Default configuration
+  self.tenant_class_name = "Tenant"
+  self.tenant_id_column = :tenant_id
+  self.app_user_env_var = "POSTGRES_APP_USER"
+  self.enable_security_validation = true
+end

data/lib/rls_multi_tenant/security_validator.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module RlsMultiTenant
+  class SecurityValidator
+    class << self
+      def validate_database_user!
+        return unless RlsMultiTenant.enable_security_validation
+        return if skip_validation?
+
+        begin
+          # Get the current database configuration
+          db_config = ActiveRecord::Base.connection_db_config
+          username = db_config.configuration_hash[:username]
+
+          # Check if the current user has SUPERUSER privileges
+          superuser_check = ActiveRecord::Base.connection.execute(
+            "SELECT rolname, rolsuper FROM pg_roles WHERE rolname = current_user"
+          ).first
+
+          if superuser_check && superuser_check['rolsuper']
+            raise SecurityError, "Database user '#{username}' has SUPERUSER privileges. " \
+                                "In order to use RLS Multi-tenant, you must use a non-privileged user without SUPERUSER rights."
+          end
+
+          # Log the security check result
+          Rails.logger&.info "✅ RLS Multi-tenant security check passed: Using user '#{username}' without SUPERUSER privileges"
+
+        rescue => e
+          Rails.logger&.error "❌ RLS Multi-tenant security check failed: #{e.message}"
+          raise e
+        end
+      end
+
+      def validate_environment!
+        return if skip_validation?
+        return unless RlsMultiTenant.enable_security_validation
+        
+        app_user = ENV[RlsMultiTenant.app_user_env_var]
+        
+        if app_user.blank?
+          raise ConfigurationError, "#{RlsMultiTenant.app_user_env_var} environment variable must be set"
+        elsif ["postgres", "root"].include?(app_user)
+          raise SecurityError, "Cannot use privileged PostgreSQL user '#{app_user}'. " \
+                              "In order to use RLS Multi-tenant, you must use a non-privileged user without SUPERUSER rights."
+        end
+      end
+
+      private
+
+      def skip_validation?
+        # Skip validation if we're running install generator
+        return true if ARGV.any? { |arg| arg.include?('rls_multi_tenant:install') }
+        
+        # Skip validation if we're in admin mode (set by db_as:admin task)
+        return true if ENV['RLS_MULTI_TENANT_ADMIN_MODE'] == 'true'
+        
+        false
+      end
+    end
+  end
+end

data/lib/rls_multi_tenant/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module RlsMultiTenant
+  VERSION = "0.1.0"
+end

data/lib/rls_multi_tenant.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require "rls_multi_tenant/version"
+require "rls_multi_tenant/concerns/multi_tenant"
+require "rls_multi_tenant/concerns/tenant_context"
+require "rls_multi_tenant/security_validator"
+require "rls_multi_tenant/rls_helper"
+# require "rls_multi_tenant/generators/install/install_generator" if defined?(Rails)
+# require "rls_multi_tenant/generators/migration/migration_generator" if defined?(Rails)
+# require "rls_multi_tenant/generators/model/model_generator" if defined?(Rails)
+require "rls_multi_tenant/railtie" if defined?(Rails)
+
+module RlsMultiTenant
+  class Error < StandardError; end
+  class ConfigurationError < Error; end
+  class SecurityError < Error; end
+
+  # Configuration options
+  class << self
+    attr_accessor :tenant_class_name, :tenant_id_column, :app_user_env_var, :enable_security_validation
+
+    def configure
+      yield self
+    end
+
+    def tenant_class
+      @tenant_class ||= tenant_class_name.constantize
+    end
+
+    def tenant_id_column
+      @tenant_id_column ||= :tenant_id
+    end
+
+    def app_user_env_var
+      @app_user_env_var ||= "POSTGRES_APP_USER"
+    end
+
+    def enable_security_validation
+      @enable_security_validation.nil? ? true : @enable_security_validation
+    end
+  end
+
+  # Default configuration
+  self.tenant_class_name = "Tenant"
+  self.tenant_id_column = :tenant_id
+  self.app_user_env_var = "POSTGRES_APP_USER"
+  self.enable_security_validation = true
+end

data/rls_multi_tenant.gemspec

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require_relative "lib/rls_multi_tenant/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "rls_multi_tenant"
+  spec.version = RlsMultiTenant::VERSION
+  spec.authors = ["Coding Ways"]
+  spec.email = ["info@codingways.com"]
+
+  spec.summary = "Rails gem for PostgreSQL Row Level Security (RLS) multi-tenant applications"
+  spec.description = "A comprehensive gem that provides RLS-based multi-tenancy for Rails applications using PostgreSQL, including automatic tenant context switching, security validations, and migration helpers."
+  spec.homepage = "https://github.com/codingways/rls_multi_tenant"
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 3.0.0"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/codingways/rls_multi_tenant"
+  spec.metadata["changelog_uri"] = "https://github.com/codingways/rls_multi_tenant/blob/main/CHANGELOG.md"
+
+  # Specify which files should be added to the gem when it is released.
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (File.expand_path(f) == __FILE__) ||
+        f.start_with?(*%w[bin/ test/ spec/ features/ .git appveyor Gemfile])
+    end
+  end
+  spec.bindir = "exe"
+  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  # Dependencies
+  spec.add_dependency "rails", ">= 7.0"
+  spec.add_dependency "pg", ">= 1.0"
+
+  # Development dependencies
+  spec.add_development_dependency "rspec-rails", "~> 6.0"
+  spec.add_development_dependency "rubocop", "~> 1.50"
+  spec.add_development_dependency "rubocop-rails", "~> 2.20"
+  spec.add_development_dependency "rubocop-rspec", "~> 2.20"
+  spec.add_development_dependency "simplecov", "~> 0.22"
+  spec.add_development_dependency "generator_spec", "~> 0.9"
+  spec.add_development_dependency "bundler-audit", "~> 0.9"
+end