rls_multi_tenant 0.2.1 → 0.2.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fa585ee59105f64a9b7469703907c8cf24b4ed80873a7cb72476d3bb0bd2082a
-  data.tar.gz: b9676fcf8125dd896ad04d66b9832cb52ea0b08664e117e4d55cfd26a8309139
+  metadata.gz: 397cee677030faceb292bbfbb2eda3bb87f269d6b1b834966b7e6601472b8bcc
+  data.tar.gz: 42dff9f53f1d0ce4e1a59fd44e081bf33b2459083ecc63d6a19560a9c80fd4c9
 SHA512:
-  metadata.gz: 1d43085f2d1b25d28aec9380e6d30993bb59738ede4b4259457cdcd63577d8f1f996216717de8b16f78eeae531b6c96579b5b5f49e7f83895bcbacbf1538cff1
-  data.tar.gz: 4caa1cc6a5d697dda6dea0f2feab0460d0436c7d4c16bd82b979000510e66cacb482e493021af0d1356a0285455ad8a499dd55a9b64a6051dc04a0fe8db53f91
+  metadata.gz: f99ba4e9128a74857c708e8393d3c8302c900c79c2809c0ad0a8dd1723d7daf1bf5f0ac064376709eb0b73983e14ec4dd3228db053c4f3f063d62c5d7adb4e1e
+  data.tar.gz: 65d310a74e59647771b1d3e37508d2e8b23050ceb501a64b6663c9c1532f5d43bb91e84a4c73c673f91e8a4a06d380db8c0b010ee411cf4b4dea3a746be5b084

data/README.md

@@ -9,6 +9,12 @@
 
 A Rails gem that provides PostgreSQL Row Level Security (RLS) based multi-tenancy for Rails applications.
 
+> 📚 **Learn more about PostgreSQL Row Level Security**: [PostgreSQL RLS Documentation](https://www.postgresql.org/docs/current/ddl-rowsecurity.html)
+
+## ⚠️ IMPORTANT: Database Security Setup for RLS
+
+**This gem relies on PostgreSQL Row-Level Security (RLS) for tenant isolation. You MUST create a dedicated database role with proper RLS permissions before using this gem in production.**
+
 ## Features
 
 - 🔒 **Row Level Security**: Automatic tenant isolation using PostgreSQL RLS
@@ -19,6 +25,50 @@ A Rails gem that provides PostgreSQL Row Level Security (RLS) based multi-tenanc
 - ⚙️ **Configurable**: Flexible configuration options
 - 🌐 **Subdomain Middleware**: Automatic tenant switching based on subdomain
 
+### Create Application Database Role
+
+Create a dedicated role for your Rails application:
+
+```sql
+CREATE ROLE app_user
+  WITH LOGIN
+       CREATEDB          -- can create databases
+       CREATEROLE        -- can create/modify other roles (except superuser)
+       NOINHERIT         -- does not inherit privileges from roles it belongs to
+       NOREPLICATION     -- cannot use replication
+       NOBYPASSRLS       -- cannot bypass Row-Level Security
+       NOSUPERUSER       -- is not a superuser
+       PASSWORD 'strong_password';
+```
+
+If you don't have a database created, you can create one with the new role:
+
+```sql
+CREATE DATABASE your_db_name OWNER app_user;
+```
+
+If you already have a database created, make sure to grant ownership of the database to the new role:
+
+```sql
+ALTER DATABASE your_db_name OWNER TO app_user;
+```
+
+### Why This Role Configuration is Critical for RLS
+
+- **`NOBYPASSRLS`**: **ESSENTIAL for RLS security** - prevents bypassing Row-Level Security policies that enforce tenant isolation
+- **`NOSUPERUSER`**: Prevents superuser privileges that could compromise RLS policies
+- **`LOGIN`**: Allows the role to connect to the database
+- **`CREATEDB`**: Enables database creation for development/testing environments
+- **`CREATEROLE`**: Allows creating other roles for application-specific users
+- **`NOINHERIT`**: Ensures the role does not inherit privileges from parent roles
+- **`NOREPLICATION`**: Prevents the role from being used for replication (security)
+
+**Without `NOBYPASSRLS`, Row-Level Security policies can be bypassed, completely breaking tenant isolation and exposing data across tenants.**
+
+### Update Database Configuration
+
+Update your `config/database.yml` to use the new role:
+
 ## Installation
 
 Add this line to your application's Gemfile:
@@ -42,33 +92,23 @@ bundle install
 
 2. **Configure the gem settings:**
    Edit `config/initializers/rls_multi_tenant.rb` to customize your tenant model:
-   ```ruby
-   RlsMultiTenant.configure do |config|
-     config.tenant_class_name = "Tenant"           # Change to your preferred tenant model name
-     config.tenant_id_column = :tenant_id          # Tenant ID column name
-     config.app_user_env_var = "POSTGRES_APP_USER" # Environment variable for app user
-     config.enable_security_validation = true      # Enable security checks
-     config.enable_subdomain_middleware = true     # Enable subdomain-based tenant switching (default: true)
-     config.subdomain_field = :subdomain           # Field to use for subdomain matching (default: :subdomain)
-   end
-   ```
-
-3. **Configure environment variables:**
-   ```bash
-   POSTGRES_USER=your_admin_user # This is the user that will run the migrations
-   POSTGRES_PASSWORD=your_admin_user_password
-   POSTGRES_APP_USER=your_app_user # This is the user that will run the app
-   POSTGRES_APP_PASSWORD=your_app_user_password
-   ```
-
-4. **Setup the tenant model and migrations:**
+    ```ruby
+    RlsMultiTenant.configure do |config|
+      config.tenant_class_name = "Tenant"           # Your tenant model class (e.g., "Organization", "Company")
+      config.tenant_id_column = :tenant_id          # Tenant ID column name
+      config.enable_security_validation = true      # Enable security checks (prevents running with superuser privileges)
+      config.enable_subdomain_middleware = true     # Enable subdomain-based tenant switching (default: true)
+      config.subdomain_field = :subdomain           # Field to use for subdomain matching (default: :subdomain)
+    end
+    ```
+3. **Setup the tenant model and migrations:**
    ```bash
    rails generate rls_multi_tenant:setup
    ```
 
-5. **Run migrations:**
+4. **Run migrations:**
    ```bash
-   rails db_as:admin[migrate] # Custom rake task to run migrations with admin privileges
+   rails db:migrate
    ```
 
 ## Usage
@@ -157,46 +197,6 @@ end
 - **Fail-Safe**: Public models are clearly separated from tenant models
 - **No Configuration Drift**: Can't accidentally expose tenant data through misconfiguration
 
-## Configuration
-
-The gem is configured in `config/initializers/rls_multi_tenant.rb` (created by the install generator). You can customize the following options:
-
-```ruby
-RlsMultiTenant.configure do |config|
-  config.tenant_class_name = "Tenant"           # Your tenant model class (e.g., "Organization", "Company")
-  config.tenant_id_column = :tenant_id          # Tenant ID column name
-  config.app_user_env_var = "POSTGRES_APP_USER" # Environment variable for app user
-  config.enable_security_validation = true      # Enable security checks (prevents running with superuser privileges)
-  config.enable_subdomain_middleware = true     # Enable subdomain-based tenant switching (default: true)
-  config.subdomain_field = :subdomain           # Field to use for subdomain matching (default: :subdomain)
-end
-```
-
-**Important**: Configure these settings **before** running `rails generate rls_multi_tenant:setup`, as the setup generator will use these values to create the appropriate model and migrations.
-
-### Database Admin Task
-```bash
-# Run migrations with admin privileges (required because app user can't run migrations)
-rails db_as:admin[migrate]
-
-# Run seeds with admin privileges
-rails db_as:admin[seed]
-
-# Create database with admin privileges
-rails db_as:admin[create]
-
-# Drop database with admin privileges
-rails db_as:admin[drop]
-```
-
-## Security Features
-
-The gem includes multiple security layers:
-
-1. **Environment Validation**: Ensures `POSTGRES_APP_USER` is set and not privileged
-2. **Database User Validation**: Checks that the database user doesn't have SUPERUSER privileges
-3. **RLS Policies**: Automatic tenant isolation at the database level
-
 ## Requirements
 
 - Rails 6.0+

data/lib/rls_multi_tenant/concerns/multi_tenant.rb

@@ -7,7 +7,7 @@ module RlsMultiTenant
 
       included do
         belongs_to :tenant, class_name: RlsMultiTenant.tenant_class_name, foreign_key: RlsMultiTenant.tenant_id_column
-        
+
         validates RlsMultiTenant.tenant_id_column, presence: true
 
         before_validation :set_tenant_id
@@ -17,12 +17,12 @@ module RlsMultiTenant
         def set_tenant_id
           current_tenant = RlsMultiTenant.tenant_class.current
 
-          if current_tenant && self.send(RlsMultiTenant.tenant_id_column).blank?
-            self.send("#{RlsMultiTenant.tenant_id_column}=", current_tenant.id)
+          if current_tenant && send(RlsMultiTenant.tenant_id_column).blank?
+            send("#{RlsMultiTenant.tenant_id_column}=", current_tenant.id)
           elsif current_tenant.nil?
-            raise RlsMultiTenant::Error, 
+            raise RlsMultiTenant::Error,
                   "Cannot create #{self.class.name} without tenant context. " \
-                  "This model requires a tenant context. "
+                  'This model requires a tenant context. '
           end
         end
       end
@@ -37,7 +37,8 @@ module RlsMultiTenant
           when String, Integer
             tenant_or_id
           else
-            raise ArgumentError, "Expected #{RlsMultiTenant.tenant_class_name} object or tenant_id, got #{tenant_or_id.class}"
+            raise ArgumentError,
+                  "Expected #{RlsMultiTenant.tenant_class_name} object or tenant_id, got #{tenant_or_id.class}"
           end
         end
       end

data/lib/rls_multi_tenant/concerns/tenant_context.rb

@@ -5,8 +5,8 @@ module RlsMultiTenant
     module TenantContext
       extend ActiveSupport::Concern
 
-      SET_TENANT_ID_SQL = 'SET %s = %s'.freeze
-      RESET_TENANT_ID_SQL = 'RESET %s'.freeze
+      SET_TENANT_ID_SQL = 'SET %s = %s'
+      RESET_TENANT_ID_SQL = 'RESET %s'
 
       class_methods do
         def tenant_session_var
@@ -41,9 +41,9 @@ module RlsMultiTenant
 
           result = connection.execute("SHOW #{tenant_session_var}")
           tenant_id = result.first&.dig(tenant_session_var)
-          
+
           return nil if tenant_id.blank?
-          
+
           RlsMultiTenant.tenant_class.find_by(id: tenant_id)
         rescue ActiveRecord::StatementInvalid, PG::Error
           nil
@@ -58,31 +58,28 @@ module RlsMultiTenant
           when String, Integer
             tenant_or_id
           else
-            raise ArgumentError, "Expected #{RlsMultiTenant.tenant_class_name} object or tenant_id, got #{tenant_or_id.class}"
+            raise ArgumentError,
+                  "Expected #{RlsMultiTenant.tenant_class_name} object or tenant_id, got #{tenant_or_id.class}"
           end
         end
 
         def validate_tenant_exists!(tenant_id)
           return if tenant_id.blank?
-          
-          unless RlsMultiTenant.tenant_class.exists?(id: tenant_id)
-            raise StandardError, "#{RlsMultiTenant.tenant_class_name} with id '#{tenant_id}' not found"
-          end
+
+          return if RlsMultiTenant.tenant_class.exists?(id: tenant_id)
+
+          raise StandardError, "#{RlsMultiTenant.tenant_class_name} with id '#{tenant_id}' not found"
         end
       end
 
       # Instance methods
-      def switch(tenant_or_id)
-        self.class.switch(tenant_or_id) { yield }
+      def switch(tenant_or_id, &block)
+        self.class.switch(tenant_or_id, &block)
       end
 
-      def switch!(tenant_or_id)
-        self.class.switch!(tenant_or_id)
-      end
+      delegate :switch!, to: :class
 
-      def reset!
-        self.class.reset!
-      end
+      delegate :reset!, to: :class
     end
   end
 end

data/lib/rls_multi_tenant/generators/install/install_generator.rb

@@ -8,44 +8,27 @@ module RlsMultiTenant
     class InstallGenerator < Rails::Generators::Base
       include Shared::TemplateHelper
 
-      source_root File.expand_path("templates", __dir__)
+      source_root File.expand_path('templates', __dir__)
 
-      desc "Install RLS Multi-tenant gem configuration"
+      desc 'Install RLS Multi-tenant gem configuration'
 
       def create_initializer
-        template "rls_multi_tenant.rb", "config/initializers/rls_multi_tenant.rb"
-      end
-
-      def create_db_admin_task
-        unless File.exist?(File.join(destination_root, "lib/tasks/db_admin.rake"))
-          copy_shared_template "db_admin.rake", "lib/tasks/db_admin.rake"
-        else
-          say "Database admin task already exists, skipping creation", :yellow
-        end
+        template 'rls_multi_tenant.rb', 'config/initializers/rls_multi_tenant.rb'
       end
 
       def show_instructions
-        say "\n" + "="*60, :green
-        say "RLS Multi-tenant gem configuration installed successfully!", :green
-        say "="*60, :green
+        say "\n#{'=' * 60}", :green
+        say 'RLS Multi-tenant gem configuration installed successfully!', :green
+        say '=' * 60, :green
         say "\nNext steps:", :yellow
-        say "1. Configure your environment variables:\n", :yellow
-        say "   POSTGRES_USER=your_admin_user # This is the user that will run the migrations", :yellow
-        say "   POSTGRES_PASSWORD=your_admin_user_password", :yellow
-        say "   POSTGRES_APP_USER=your_app_user # This is the user that will run the app", :yellow
-        say "   POSTGRES_APP_PASSWORD=your_app_user_password", :yellow
-        say "\n2. Configure the gem settings in config/initializers/rls_multi_tenant.rb", :yellow
-        say "   (tenant_class_name, tenant_id_column, app_user_env_var, enable_security_validation)", :yellow
-        say "\n3. Run the setup generator to create the tenant model and migrations:\n", :yellow
-        say "   rails generate rls_multi_tenant:setup", :yellow
-        say "\n4. Make sure to use the POSTGRES_APP_USER in your database.yml.", :yellow
-        say "\n5. Run the migrations with admin privileges:\n", :yellow
-        say "   rails db_as:admin[migrate]", :yellow
-        say "   Note: We must use the admin user because the app user doesn't have migration privileges", :yellow
-        say "\n6. Use 'rails generate rls_multi_tenant:model' for new multi-tenant models", :yellow
-        say "="*60, :green
+        say "\n1. Configure the gem settings in config/initializers/rls_multi_tenant.rb", :yellow
+        say "\n2. Run the setup generator to create the tenant model and migrations:\n", :yellow
+        say '   rails generate rls_multi_tenant:setup', :yellow
+        say "\n3. Run migrations:\n", :yellow
+        say '   rails db:migrate', :yellow
+        say "\n4. Use 'rails generate rls_multi_tenant:model' for new multi-tenant models", :yellow
+        say '=' * 60, :green
       end
-
     end
   end
 end

data/lib/rls_multi_tenant/generators/install/templates/rls_multi_tenant.rb

@@ -2,20 +2,17 @@
 
 RlsMultiTenant.configure do |config|
   # Configure the tenant model class name
-  config.tenant_class_name = "Tenant"
-  
+  config.tenant_class_name = 'Tenant'
+
   # Configure the tenant ID column name
   config.tenant_id_column = :tenant_id
-  
-  # Configure the environment variable for the app user
-  config.app_user_env_var = "POSTGRES_APP_USER"
-  
+
   # Enable/disable security validation
   config.enable_security_validation = true
-  
+
   # Enable/disable subdomain-based tenant switching middleware
   config.enable_subdomain_middleware = true
-  
+
   # Configure the field to use for subdomain matching (default: :subdomain)
   # This should be a field on your tenant model that contains the subdomain
   config.subdomain_field = :subdomain

data/lib/rls_multi_tenant/generators/migration/migration_generator.rb

@@ -7,101 +7,58 @@ module RlsMultiTenant
   module Generators
     class MigrationGenerator < Rails::Generators::Base
       include Shared::TemplateHelper
-      
-      source_root File.expand_path("templates", __dir__)
 
-      argument :migration_type, type: :string, desc: "Type of migration to generate"
+      source_root File.expand_path('templates', __dir__)
 
-      desc "Generate RLS Multi-tenant migrations"
+      argument :migration_type, type: :string, desc: 'Type of migration to generate'
+
+      desc 'Generate RLS Multi-tenant migrations'
 
       def create_migration
         case migration_type
-        when "create_tenant"
+        when 'create_tenant'
           create_tenant_migration
-        when "create_app_user"
-          create_app_user_migration
-        when "enable_rls"
+        when 'enable_rls'
           create_enable_rls_migration
-        when "enable_uuid"
+        when 'enable_uuid'
           create_enable_uuid_migration
         else
           say "Unknown migration type: #{migration_type}", :red
-          say "Available types: create_tenant, create_app_user, enable_rls, enable_uuid", :yellow
+          say 'Available types: create_tenant, enable_rls, enable_uuid', :yellow
         end
       end
 
       private
 
-      def create_app_user_migration
-        create_app_user_migrations_for_all_databases
-      end
-
       def create_enable_rls_migration
-        timestamp = Time.current.strftime("%Y%m%d%H%M%S")
-        template "enable_rls.rb", "db/migrate/#{timestamp}_enable_rls_for_#{table_name}.rb"
+        timestamp = Time.current.strftime('%Y%m%d%H%M%S')
+        template 'enable_rls.rb', "db/migrate/#{timestamp}_enable_rls_for_#{table_name}.rb"
       end
 
       def create_tenant_migration
         tenant_class_name = RlsMultiTenant.tenant_class_name
         migration_pattern = "*_create_#{tenant_class_name.underscore.pluralize}.rb"
-        
-        unless Dir.glob(File.join(destination_root, "db/migrate/#{migration_pattern}")).any?
-          timestamp = Time.current.strftime("%Y%m%d%H%M%S")
-          render_shared_template "create_tenant.rb", "db/migrate/#{timestamp}_create_#{tenant_class_name.underscore.pluralize}.rb"
-        else
-          say "#{tenant_class_name} migration already exists, skipping creation", :yellow
-        end
-      end
 
-      def create_enable_uuid_migration
-        unless Dir.glob(File.join(destination_root, "db/migrate/*_enable_uuid_extension.rb")).any?
-          timestamp = Time.current.strftime("%Y%m%d%H%M%S")
-          render_shared_template "enable_uuid_extension.rb", "db/migrate/#{timestamp}_enable_uuid_extension.rb"
+        if Dir.glob(File.join(destination_root, "db/migrate/#{migration_pattern}")).any?
+          say "#{tenant_class_name} migration already exists, skipping creation", :yellow
         else
-          say "UUID extension migration already exists, skipping creation", :yellow
+          timestamp = Time.current.strftime('%Y%m%d%H%M%S')
+          render_shared_template 'create_tenant.rb',
+                                 "db/migrate/#{timestamp}_create_#{tenant_class_name.underscore.pluralize}.rb"
         end
       end
 
-      def create_app_user_migrations_for_all_databases
-        # Get database configuration for current environment
-        db_config = Rails.application.config.database_configuration[Rails.env]
-        
-        # Handle both single database and multiple databases configuration
-        databases_to_process = if db_config.is_a?(Hash) && db_config.key?('primary')
-          # Multiple databases configuration
-          db_config
+      def create_enable_uuid_migration
+        if Dir.glob(File.join(destination_root, 'db/migrate/*_enable_uuid_extension.rb')).any?
+          say 'UUID extension migration already exists, skipping creation', :yellow
         else
-          # Single database configuration - treat as primary
-          { 'primary' => db_config }
+          timestamp = Time.current.strftime('%Y%m%d%H%M%S')
+          render_shared_template 'enable_uuid_extension.rb', "db/migrate/#{timestamp}_enable_uuid_extension.rb"
         end
-
-        databases_to_process.each do |db_name, config|
-          next if db_name == 'primary' # Skip primary database, handle it separately
-          
-          # Check if migrations_paths is defined for this database
-          if config['migrations_paths']
-            migration_paths = Array(config['migrations_paths'])
-            migration_paths.each do |migration_path|
-              migration_dir = File.join(destination_root, migration_path)
-              FileUtils.mkdir_p(migration_dir) unless File.directory?(migration_dir)
-              
-              timestamp = Time.current.strftime("%Y%m%d%H%M%S")
-              render_shared_template "create_app_user.rb", "#{migration_path}/#{timestamp}_create_app_user.rb"
-              say "Created app user migration for #{db_name} in #{migration_path}", :green
-            end
-          else
-            say "No migrations_paths defined for database '#{db_name}', skipping app user migration", :yellow
-          end
-        end
-
-        # Handle primary database (default behavior)
-        timestamp = Time.current.strftime("%Y%m%d%H%M%S")
-        render_shared_template "create_app_user.rb", "db/migrate/#{timestamp}_create_app_user.rb"
-        say "Created app user migration for primary database", :green
       end
 
       def table_name
-        @table_name ||= ask("Enter table name for RLS:")
+        @table_name ||= ask('Enter table name for RLS:')
       end
     end
   end

data/lib/rls_multi_tenant/generators/migration/templates/enable_rls.rb

@@ -2,11 +2,11 @@ class EnableRlsFor<%= table_name.camelize %> < ActiveRecord::Migration[<%= Rails
   def change
     reversible do |dir|
       dir.up do
-        # Enable Row Level Security
-        execute 'ALTER TABLE <%= table_name %> ENABLE ROW LEVEL SECURITY'
+        # Enable and force Row Level Security
+        execute 'ALTER TABLE <%= table_name %> ENABLE ROW LEVEL SECURITY, FORCE ROW LEVEL SECURITY'
         
         # Create RLS policy
-        execute "CREATE POLICY <%= table_name %>_app_user ON <%= table_name %> TO #{ENV['<%= RlsMultiTenant.app_user_env_var %>']} USING (<%= RlsMultiTenant.tenant_id_column %> = NULLIF(current_setting('rls.<%= RlsMultiTenant.tenant_id_column %>', TRUE), '')::uuid)"
+        execute "CREATE POLICY <%= table_name %>_app_user ON <%= table_name %> USING (<%= RlsMultiTenant.tenant_id_column %> = NULLIF(current_setting('rls.<%= RlsMultiTenant.tenant_id_column %>', TRUE), '')::uuid)"
       end
       
       dir.down do
@@ -14,7 +14,7 @@ class EnableRlsFor<%= table_name.camelize %> < ActiveRecord::Migration[<%= Rails
         execute "DROP POLICY <%= table_name %>_app_user ON <%= table_name %>"
         
         # Disable RLS
-        execute "ALTER TABLE <%= table_name %> DISABLE ROW LEVEL SECURITY"
+        execute "ALTER TABLE <%= table_name %> DISABLE ROW LEVEL SECURITY, NO FORCE ROW LEVEL SECURITY"
       end
     end
   end

data/lib/rls_multi_tenant/generators/model/model_generator.rb

@@ -1,43 +1,38 @@
 # frozen_string_literal: true
 
 require 'rails/generators'
-require 'ostruct'
 
 module RlsMultiTenant
   module Generators
     class ModelGenerator < Rails::Generators::Base
-      source_root File.expand_path("templates", __dir__)
+      source_root File.expand_path('templates', __dir__)
 
-      argument :name, type: :string, desc: "Model name"
-      argument :attributes, type: :array, default: [], banner: "field:type field:type"
+      argument :name, type: :string, desc: 'Model name'
+      argument :attributes, type: :array, default: [], banner: 'field:type field:type'
 
       def initialize(args, *options)
         super
         @attributes = parse_attributes!
       end
 
-      desc "Generate a multi-tenant model with RLS policies"
+      desc 'Generate a multi-tenant model with RLS policies'
 
       def create_model_file
-        template "model.rb", File.join("app/models", "#{model_name.underscore}.rb")
+        template 'model.rb', File.join('app/models', "#{model_name.underscore}.rb")
       end
 
       def create_migration
-        template "migration.rb", File.join("db/migrate", "#{migration_file_name}.rb")
+        template 'migration.rb', File.join('db/migrate', "#{migration_file_name}.rb")
       end
 
       def show_instructions
-        say "\n" + "="*60, :green
+        say "\n#{'=' * 60}", :green
         say "Multi-tenant model '#{model_name}' created successfully!", :green
-        say "="*60, :green
+        say '=' * 60, :green
         say "\nWhat was created:", :yellow
         say "1. Model: app/models/#{model_name.underscore}.rb (with MultiTenant concern included)", :yellow
-        say "2. Migration: #{migration_file_name}.rb (with tenant_id column and RLS policies)", :yellow
-        say "\nNext steps:", :yellow
-        say "1. Run migrations: rails db_as:admin[migrate]", :yellow
-        say "2. The model is ready to use with multi-tenant functionality", :yellow
-        say "3. RLS policies are automatically configured", :yellow
-        say "="*60, :green
+        say "2. Migration: #{migration_file_name}.rb (with RLS policies)", :yellow
+        say '=' * 60, :green
       end
 
       private
@@ -55,7 +50,7 @@ module RlsMultiTenant
       end
 
       def migration_timestamp
-        Time.current.strftime("%Y%m%d%H%M%S")
+        Time.current.strftime('%Y%m%d%H%M%S')
       end
 
       def tenant_id_column
@@ -73,9 +68,9 @@ module RlsMultiTenant
       def parse_attributes!
         attributes.map do |attr|
           name, type = attr.split(':')
-          OpenStruct.new(name: name, type: type || 'string')
+          { name: name, type: type || 'string' }
         end
       end
     end
   end
-end
+end

data/lib/rls_multi_tenant/generators/model/templates/migration.rb

@@ -4,21 +4,20 @@ class <%= migration_class_name %> < ActiveRecord::Migration[<%= Rails.version.to
     create_table :<%= table_name %> do |t|
       t.references :<%= tenant_id_column.to_s.gsub('_id', '') %>, null: false, foreign_key: { to_table: :<%= tenant_class_name.underscore.pluralize %> }, type: :uuid
 <% @attributes.each do |attribute| -%>
-      t.<%= attribute.type %> :<%= attribute.name %>
+      t.<%= attribute[:type] %> :<%= attribute[:name] %>
 <% end -%>
 
       t.timestamps
     end
 
-    # Enable Row Level Security
-    execute "ALTER TABLE <%= table_name %> ENABLE ROW LEVEL SECURITY"
-
     # Define RLS policy
     reversible do |dir|
       dir.up do
-        execute "CREATE POLICY <%= table_name %>_app_user ON <%= table_name %> TO #{ENV['<%= RlsMultiTenant.app_user_env_var %>']} USING (<%= tenant_id_column %> = NULLIF(current_setting('rls.<%= tenant_id_column %>', TRUE), '')::uuid)"
+        execute "ALTER TABLE <%= table_name %> ENABLE ROW LEVEL SECURITY, FORCE ROW LEVEL SECURITY"
+        execute "CREATE POLICY <%= table_name %>_app_user ON <%= table_name %> USING (<%= tenant_id_column %> = NULLIF(current_setting('rls.<%= tenant_id_column %>', TRUE), '')::uuid)"
       end
       dir.down do
+        execute "ALTER TABLE <%= table_name %> DISABLE ROW LEVEL SECURITY, NO FORCE ROW LEVEL SECURITY"
         execute "DROP POLICY <%= table_name %>_app_user ON <%= table_name %>"
       end
     end