rls_multi_tenant 0.2.8 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1ac751dd2c642fe57321ed7af2122805db1654353d933b12aba216cad22c0160
-  data.tar.gz: 947a7c120d823380bf29cb80881c64739bf662e284021805576fbf0baa733138
+  metadata.gz: 8fab0710fc915514adcd0f8ba409b24557b5cafe0f1f0bdc4084b24d25b2fba5
+  data.tar.gz: 6359b5afdeb5493f4e56482682d6e82ff4a9e6aafd36adbfdf8998630b715525
 SHA512:
-  metadata.gz: 27c78853768c5fd7e978184455ff9ba8b60401314d752e8b7140b775bf2b897820dcebca6eb7efc9467317b08de8adabbde8e49a36c0edcf3e09e775520871f9
-  data.tar.gz: ac3e1092d6a177323f08fcf7e2fb371bd90502af21afba051fb0c90917edc4497fabc950325035614acd8918a41f3076cd6d1e9e02132a599fb03d4dc8854806
+  metadata.gz: a5079b1e2b6d73d30197ffd65042468301bc80afb36a573f2f6edcbf9663a320dca71354828f839bdbcac1d35ee72fcc70bd060ef9ee379ffe028740f99ac2f7
+  data.tar.gz: 89af2331b8b0f91f844e2a994e40f7d5162ea739a744d41a0e3d02675b5ca89a5c3d1f53f79b6ab0f8ab07e17d229893b937bb4fb2c2c2d4e2499ee504788dd5

data/CHANGELOG.md

@@ -0,0 +1,57 @@
+# Changelog
+
+All notable changes to this project are documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.3.0] - 2026-06-04
+
+Security-focused release. Hardens tenant isolation and SQL handling.
+
+### Breaking Changes
+
+- **`TenantContext.switch` now runs its block inside a database transaction.**
+  The block form previously used a session-level `SET`; it now uses `SET LOCAL`
+  wrapped in a transaction so PostgreSQL guarantees the tenant context is cleared
+  when the transaction ends, preventing it from leaking onto pooled connections.
+
+  Because the subdomain middleware wraps each request in `switch`, the entire
+  request now executes within a single transaction. Observable consequences:
+  - `after_commit` callbacks fire at the end of the request instead of per-save.
+  - An unrescued error inside the block rolls back all of the request's writes.
+  - Application-level `transaction` blocks become savepoints (`requires_new`).
+  - The connection is held for the duration of the request.
+
+  If you relied on per-save commit semantics, review those code paths. The
+  permanent `switch!` (session-level `SET`) still exists for the console and
+  single-tenant scripts, but is now documented as unsafe on pooled connections —
+  always pair it with `reset!`.
+
+### Security
+
+- **Cross-tenant context leak fixed** — `switch` uses `SET LOCAL` in a
+  transaction; the context can no longer survive on a pooled connection if
+  cleanup fails (crash, killed thread, lost connection).
+- **SUPERUSER and inherited BYPASSRLS now rejected** — `SecurityValidator`
+  inspects the actually connected role (`current_user`), rejects `rolsuper`
+  (superusers bypass RLS unconditionally), and evaluates the effective
+  `BYPASSRLS` privilege across inherited roles via `pg_has_role`.
+- **SQL identifier injection hardened** — `RlsHelper` and `TenantContext` quote
+  table/column/policy identifiers (`quote_table_name` / `quote_column_name`),
+  validate identifiers against a strict pattern, and pass catalog literals and
+  `current_setting` arguments through `connection.quote`.
+- **Cross-tenant assignment blocked** — `MultiTenant#set_tenant_id` raises when
+  an explicit `tenant_id` differs from the active context and always pins the
+  value to the current tenant, adding an application-layer guard on top of
+  database enforcement.
+
+### Fixed
+
+- `tenant_class` is resolved on every call instead of being memoized, avoiding a
+  stale class object across development code reloads and reconfiguration.
+- Removed the railtie initializer that reset configuration to defaults on every
+  boot and could clobber a host application's settings depending on load order.
+- Subdomain extraction now handles IPv6 hosts (`::1`, `[::1]`) and `host:port`
+  forms via `IPAddr`, instead of treating them as domains and producing a bogus
+  subdomain.

data/lib/rls_multi_tenant/concerns/multi_tenant.rb

@@ -17,14 +17,31 @@ module RlsMultiTenant
 
         def set_tenant_id
           current_tenant = RlsMultiTenant.tenant_class.current
+          ensure_tenant_context!(current_tenant)
 
-          if current_tenant && send(RlsMultiTenant.tenant_id_column).blank?
-            send("#{RlsMultiTenant.tenant_id_column}=", current_tenant.id)
-          elsif current_tenant.nil?
-            raise RlsMultiTenant::Error,
-                  "Cannot create #{self.class.name} without tenant context. " \
-                  'This model requires a tenant context. '
-          end
+          column = RlsMultiTenant.tenant_id_column
+          ensure_same_tenant!(send(column), current_tenant)
+          send("#{column}=", current_tenant.id)
+        end
+
+        def ensure_tenant_context!(current_tenant)
+          return unless current_tenant.nil?
+
+          raise RlsMultiTenant::Error,
+                "Cannot create #{self.class.name} without tenant context. " \
+                'This model requires a tenant context. '
+        end
+
+        # Reject an explicit tenant_id that points at a different tenant than the
+        # active context. The database (FORCE RLS + WITH CHECK) is the real
+        # guard, but failing fast here prevents silently building a record that
+        # the policy will reject, and blocks cross-tenant writes at the
+        # application layer as defense in depth.
+        def ensure_same_tenant!(assigned, current_tenant)
+          return if assigned.blank? || assigned.to_s == current_tenant.id.to_s
+
+          raise RlsMultiTenant::Error,
+                "Cannot assign #{self.class.name} to a different tenant than the current context."
         end
       end
     end

data/lib/rls_multi_tenant/concerns/tenant_context.rb

@@ -5,43 +5,63 @@ module RlsMultiTenant
     module TenantContext
       extend ActiveSupport::Concern
 
+      # PostgreSQL unquoted identifier pattern, used to validate the configured
+      # tenant id column before embedding it in a GUC name.
+      IDENTIFIER_PATTERN = /\A[a-zA-Z_][a-zA-Z0-9_]*\z/
+
       SET_TENANT_ID_SQL = 'SET %s = %s'
+      SET_LOCAL_TENANT_ID_SQL = 'SET LOCAL %s = %s'
       RESET_TENANT_ID_SQL = 'RESET %s'
+      RESET_LOCAL_TENANT_ID_SQL = 'SET LOCAL %s TO DEFAULT'
 
       # rubocop:disable Metrics/BlockLength
       class_methods do
         def tenant_session_var
-          "rls.#{RlsMultiTenant.tenant_id_column}"
-        end
+          column = RlsMultiTenant.tenant_id_column.to_s
+          unless column.match?(IDENTIFIER_PATTERN)
+            raise ConfigurationError, "Invalid tenant_id_column: #{RlsMultiTenant.tenant_id_column.inspect}"
+          end
 
-        def tenant_stack
-          Thread.current[:"#{name}_tenant_stack"] ||= []
+          "rls.#{column}"
         end
 
-        # Switch tenant context for a block
+        # Switch tenant context for a block.
+        #
+        # Uses SET LOCAL inside a transaction so PostgreSQL itself scopes the
+        # tenant context to the transaction and guarantees it is cleared when
+        # the transaction ends — even if the block raises or the process dies
+        # mid-request. This prevents the context from leaking onto a pooled
+        # connection and being reused by a different tenant's request.
         def switch(tenant_or_id)
           tenant_id = extract_tenant_id(tenant_or_id)
           validate_tenant_exists!(tenant_id)
 
-          previous_tenant_id = current_tenant_id
-          tenant_stack.push(previous_tenant_id)
-
-          connection.execute format(SET_TENANT_ID_SQL, tenant_session_var, connection.quote(tenant_id))
-          yield
-        ensure
-          restore_tenant_context!
+          connection.transaction(requires_new: true) do
+            previous_tenant_id = current_tenant_id
+            apply_tenant_context(tenant_id, local: true)
+            begin
+              yield
+            ensure
+              apply_tenant_context(previous_tenant_id, local: true)
+            end
+          end
         end
 
-        # Switch tenant context permanently (until reset)
+        # Switch tenant context permanently (until reset).
+        #
+        # WARNING: this sets a session-level variable that persists on the
+        # connection until reset! is called. On a pooled connection it can leak
+        # to subsequent requests. Prefer the block form `switch` whenever
+        # possible; only use switch! for the console or single-tenant scripts,
+        # and always pair it with reset!.
         def switch!(tenant_or_id)
           tenant_id = extract_tenant_id(tenant_or_id)
           validate_tenant_exists!(tenant_id)
-          connection.execute format(SET_TENANT_ID_SQL, tenant_session_var, connection.quote(tenant_id))
+          apply_tenant_context(tenant_id, local: false)
         end
 
         # Reset tenant context
         def reset!
-          tenant_stack.clear
           connection.execute format(RESET_TENANT_ID_SQL, tenant_session_var)
         end
 
@@ -49,8 +69,8 @@ module RlsMultiTenant
         def current
           return nil unless connection.active?
 
-          result = connection.execute("SHOW #{tenant_session_var}")
-          tenant_id = result.first&.dig(tenant_session_var)
+          result = connection.execute("SELECT current_setting(#{connection.quote(tenant_session_var)}, true) AS tenant_id")
+          tenant_id = result.first&.dig('tenant_id')
 
           return nil if tenant_id.blank?
 
@@ -61,27 +81,31 @@ module RlsMultiTenant
 
         private
 
+        # Apply (or clear, when tenant_id is blank) the tenant context.
+        # local: true uses SET LOCAL (transaction-scoped); false uses session SET.
+        def apply_tenant_context(tenant_id, local:)
+          if tenant_id.blank?
+            reset_sql = local ? RESET_LOCAL_TENANT_ID_SQL : RESET_TENANT_ID_SQL
+            connection.execute format(reset_sql, tenant_session_var)
+          else
+            set_sql = local ? SET_LOCAL_TENANT_ID_SQL : SET_TENANT_ID_SQL
+            connection.execute format(set_sql, tenant_session_var, connection.quote(tenant_id))
+          end
+        end
+
         def current_tenant_id
           return nil unless connection.active?
 
-          result = connection.execute("SHOW #{tenant_session_var}")
-          result.first&.dig(tenant_session_var)
+          result = connection.execute("SELECT current_setting(#{connection.quote(tenant_session_var)}, true) AS tenant_id")
+          result.first&.dig('tenant_id')
         rescue ActiveRecord::StatementInvalid, PG::Error
           nil
         end
 
-        def restore_tenant_context!
-          previous_tenant_id = tenant_stack.pop
-
-          if previous_tenant_id.present?
-            connection.execute format(SET_TENANT_ID_SQL, tenant_session_var, connection.quote(previous_tenant_id))
-          else
-            connection.execute format(RESET_TENANT_ID_SQL, tenant_session_var)
-          end
-        end
-
         def extract_tenant_id(tenant_or_id)
           case tenant_or_id
+          when nil
+            nil
           when ->(obj) { obj.is_a?(RlsMultiTenant.tenant_class) }
             tenant_or_id.id
           when String, Integer

data/lib/rls_multi_tenant/middleware/subdomain_tenant_selector.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'ipaddr'
+
 module RlsMultiTenant
   module Middleware
     class SubdomainTenantSelector
@@ -84,13 +86,13 @@ module RlsMultiTenant
       end
 
       def extract_subdomain(host)
-        return nil if host.blank? || ip_host?(host)
+        return nil if host.blank?
 
-        # Remove port if present
-        host = host.split(':').first
+        hostname = extract_hostname(host)
+        return nil if hostname.blank? || ip_host?(hostname)
 
         # Split by dots and get the first part (subdomain)
-        parts = host.split('.')
+        parts = hostname.split('.')
 
         # Handle localhost development (e.g., foo.localhost:3000) or standard domains (e.g., foo.example.com)
         return unless (parts.length == 2 && parts.last == 'localhost') || parts.length >= 3
@@ -98,8 +100,26 @@ module RlsMultiTenant
         parts.first
       end
 
-      def ip_host?(host)
-        !/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/.match(host).nil?
+      # Strip an optional :port and IPv6 brackets, returning the bare hostname or
+      # IP literal. Handles host, host:port, ipv4, ipv4:port, [ipv6], [ipv6]:port
+      # and bare ipv6.
+      def extract_hostname(host)
+        if host.start_with?('[') # [ipv6] or [ipv6]:port
+          host[/\A\[(.+?)\]/, 1]
+        elsif host.count(':') > 1 # bare ipv6 (no port)
+          host
+        else # hostname or ipv4, optionally with :port
+          host.split(':').first
+        end
+      end
+
+      def ip_host?(hostname)
+        return false if hostname.blank?
+
+        IPAddr.new(hostname)
+        true
+      rescue IPAddr::InvalidAddressError
+        false
       end
 
       def excluded_subdomain?(subdomain)

data/lib/rls_multi_tenant/railtie.rb

@@ -10,15 +10,6 @@ module RlsMultiTenant
       require 'rls_multi_tenant/generators/model/model_generator'
     end
 
-    initializer 'rls_multi_tenant.configure' do |_app|
-      # Configure the gem
-      RlsMultiTenant.configure do |config|
-        config.tenant_class_name = 'Tenant'
-        config.tenant_id_column = :tenant_id
-        config.enable_security_validation = true
-      end
-    end
-
     initializer 'rls_multi_tenant.security_validation', after: :load_config_initializers do |app|
       if RlsMultiTenant.enable_security_validation
         app.config.after_initialize do

data/lib/rls_multi_tenant/rls_helper.rb

@@ -2,41 +2,50 @@
 
 module RlsMultiTenant
   module RlsHelper
+    # PostgreSQL unquoted identifier: starts with a letter or underscore,
+    # followed by letters, digits or underscores.
+    IDENTIFIER_PATTERN = /\A[a-zA-Z_][a-zA-Z0-9_]*\z/
+
     class << self
       # Enable RLS on a table with a policy
       def enable_rls_for_table(table_name, tenant_column: RlsMultiTenant.tenant_id_column)
+        table = quoted_table(table_name)
+        column = quoted_column(tenant_column)
+        policy = quoted_policy_name(table_name)
+
         # Enable RLS
-        ActiveRecord::Base.connection.execute("ALTER TABLE #{table_name} ENABLE ROW LEVEL SECURITY, FORCE ROW LEVEL SECURITY")
+        connection.execute("ALTER TABLE #{table} ENABLE ROW LEVEL SECURITY, FORCE ROW LEVEL SECURITY")
 
         # Create policy (drop if exists first)
-        policy_name = "#{table_name}_app_user"
-        ActiveRecord::Base.connection.execute("DROP POLICY IF EXISTS #{policy_name} ON #{table_name}")
+        connection.execute("DROP POLICY IF EXISTS #{policy} ON #{table}")
 
-        tenant_session_var = "rls.#{RlsMultiTenant.tenant_id_column}"
-        policy_sql = "CREATE POLICY #{policy_name} ON #{table_name} " \
-                     "USING (#{tenant_column} = NULLIF(current_setting('#{tenant_session_var}', TRUE), '')::uuid)"
+        tenant_session_var = "rls.#{validated_identifier(RlsMultiTenant.tenant_id_column)}"
+        policy_sql = "CREATE POLICY #{policy} ON #{table} " \
+                     "USING (#{column} = NULLIF(current_setting(#{connection.quote(tenant_session_var)}, TRUE), '')::uuid)"
 
-        ActiveRecord::Base.connection.execute(policy_sql)
+        connection.execute(policy_sql)
 
-        Rails.logger&.info "✅ RLS enabled for table #{table_name} with policy #{policy_name}"
+        Rails.logger&.info "✅ RLS enabled for table #{table_name} with policy #{table_name}_app_user"
       end
 
       # Disable RLS on a table
       def disable_rls_for_table(table_name)
+        table = quoted_table(table_name)
+        policy = quoted_policy_name(table_name)
+
         # Drop policy
-        policy_name = "#{table_name}_app_user"
-        ActiveRecord::Base.connection.execute("DROP POLICY IF EXISTS #{policy_name} ON #{table_name}")
+        connection.execute("DROP POLICY IF EXISTS #{policy} ON #{table}")
 
         # Disable RLS
-        ActiveRecord::Base.connection.execute("ALTER TABLE #{table_name} DISABLE ROW LEVEL SECURITY, NO FORCE ROW LEVEL SECURITY")
+        connection.execute("ALTER TABLE #{table} DISABLE ROW LEVEL SECURITY, NO FORCE ROW LEVEL SECURITY")
 
         Rails.logger&.info "✅ RLS disabled for table #{table_name}"
       end
 
       # Check if RLS is enabled on a table
       def rls_enabled?(table_name)
-        result = ActiveRecord::Base.connection.execute(
-          "SELECT relrowsecurity FROM pg_class WHERE relname = '#{table_name}'"
+        result = connection.execute(
+          "SELECT relrowsecurity, relforcerowsecurity FROM pg_class WHERE relname = #{connection.quote(table_name.to_s)}"
         ).first
 
         result&.dig('relrowsecurity') == true && result&.dig('relforcerowsecurity') == true
@@ -44,10 +53,39 @@ module RlsMultiTenant
 
       # Get all RLS policies for a table
       def rls_policies(table_name)
-        ActiveRecord::Base.connection.execute(
-          "SELECT policyname, permissive, roles, cmd, qual FROM pg_policies WHERE tablename = '#{table_name}'"
+        connection.execute(
+          'SELECT policyname, permissive, roles, cmd, qual FROM pg_policies ' \
+          "WHERE tablename = #{connection.quote(table_name.to_s)}"
         )
       end
+
+      private
+
+      def connection
+        ActiveRecord::Base.connection
+      end
+
+      def quoted_table(table_name)
+        connection.quote_table_name(validated_identifier(table_name))
+      end
+
+      def quoted_column(column_name)
+        connection.quote_column_name(validated_identifier(column_name))
+      end
+
+      def quoted_policy_name(table_name)
+        connection.quote_column_name("#{validated_identifier(table_name)}_app_user")
+      end
+
+      # Guard against SQL injection through identifiers (table/column names),
+      # which cannot be passed as bind parameters and must be embedded in the
+      # statement text.
+      def validated_identifier(identifier)
+        value = identifier.to_s
+        return value if value.match?(IDENTIFIER_PATTERN)
+
+        raise ArgumentError, "Invalid SQL identifier: #{identifier.inspect}"
+      end
     end
   end
 end

data/lib/rls_multi_tenant/security_validator.rb

@@ -2,33 +2,74 @@
 
 module RlsMultiTenant
   class SecurityValidator
+    TRUTHY_VALUES = [true, 't'].freeze
+
     class << self
       def validate_database_user!
         return unless RlsMultiTenant.enable_security_validation
 
         begin
-          # Get the current database configuration
-          db_config = ActiveRecord::Base.connection_db_config
-          username = db_config.configuration_hash[:username]
-
-          # Check if the user has bypassrls privilege
-          bypassrls_check = ActiveRecord::Base.connection.execute(
-            "SELECT rolbypassrls FROM pg_roles WHERE rolname = '#{username}'"
-          ).first
-
-          if bypassrls_check && bypassrls_check['rolbypassrls']
-            raise SecurityError, "Database user '#{username}' has BYPASSRLS privilege. " \
-                                 'In order to use RLS Multi-tenant, you must use a non-privileged user ' \
-                                 'without BYPASSRLS privilege.'
-          end
-
-          # Log the security check result
-          Rails.logger&.info "✅ RLS Multi-tenant security check passed: Using user '#{username}' without BYPASSRLS privilege"
+          role = current_role
+          username = role && role['username']
+
+          ensure_not_superuser!(role, username)
+          ensure_no_bypassrls!(username)
+
+          Rails.logger&.info "✅ RLS Multi-tenant security check passed: Using user '#{username}' " \
+                             'without SUPERUSER or BYPASSRLS privileges'
         rescue StandardError => e
           Rails.logger&.error "❌ RLS Multi-tenant security check failed: #{e.message}"
           raise e
         end
       end
+
+      private
+
+      # Inspect the actual connected role (current_user), not the configured
+      # username, so the check reflects what PostgreSQL really enforces and
+      # avoids interpolating a config value into SQL.
+      def current_role
+        ActiveRecord::Base.connection.execute(<<~SQL.squish).first
+          SELECT current_user AS username, rolsuper, rolbypassrls
+          FROM pg_roles WHERE rolname = current_user
+        SQL
+      end
+
+      # A SUPERUSER bypasses RLS unconditionally, regardless of the rolbypassrls
+      # flag, so it must be rejected explicitly.
+      def ensure_not_superuser!(role, username)
+        return unless truthy?(role && role['rolsuper'])
+
+        raise SecurityError, "Database user '#{username}' is a SUPERUSER. " \
+                             'Superusers bypass Row Level Security entirely. You must use a ' \
+                             'non-privileged, non-superuser role for RLS Multi-tenant.'
+      end
+
+      # BYPASSRLS can also be inherited through role membership, so check the
+      # effective privilege across every role the user is a member of.
+      def ensure_no_bypassrls!(username)
+        return unless bypassrls_effective?
+
+        raise SecurityError, "Database user '#{username}' has BYPASSRLS privilege " \
+                             '(directly or through an inherited role). ' \
+                             'In order to use RLS Multi-tenant, you must use a non-privileged user ' \
+                             'without BYPASSRLS privilege.'
+      end
+
+      def bypassrls_effective?
+        result = ActiveRecord::Base.connection.execute(<<~SQL.squish).first
+          SELECT bool_or(rolbypassrls) AS bypass
+          FROM pg_roles WHERE pg_has_role(current_user, oid, 'USAGE')
+        SQL
+
+        truthy?(result && result['bypass'])
+      end
+
+      # PostgreSQL boolean columns may come back as true/false or 't'/'f'
+      # depending on the adapter/decoder configuration.
+      def truthy?(value)
+        TRUTHY_VALUES.include?(value)
+      end
     end
   end
 end

data/lib/rls_multi_tenant/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RlsMultiTenant
-  VERSION = '0.2.8'
+  VERSION = '0.3.0'
 end

data/lib/rls_multi_tenant.rb

@@ -28,7 +28,10 @@ module RlsMultiTenant
     end
 
     def tenant_class
-      @tenant_class ||= tenant_class_name.constantize
+      # Resolve on every call rather than memoizing: a memoized class object
+      # goes stale across code reloads in development and after the tenant
+      # class name is reconfigured, which can break associations.
+      tenant_class_name.constantize
     end
 
     def tenant_id_column

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rls_multi_tenant
 version: !ruby/object:Gem::Version
-  version: 0.2.8
+  version: 0.3.0
 platform: ruby
 authors:
 - Coding Ways
@@ -158,6 +158,7 @@ extra_rdoc_files: []
 files:
 - ".rspec"
 - ".rubocop.yml"
+- CHANGELOG.md
 - README.md
 - lib/rls_multi_tenant.rb
 - lib/rls_multi_tenant/concerns/multi_tenant.rb
@@ -204,7 +205,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 4.0.8
 specification_version: 4
 summary: Rails gem for PostgreSQL Row Level Security (RLS) multi-tenant applications
 test_files: []